There’s a reality most security professionals recognise. The risk assessment is done. The threat picture is documented. The recommendations are ready. And yet nothing happens.
Not because leadership doesn’t care. But because the message never landed. It got lost in the noise of other decision papers, other priorities, other languages.
This isn’t a communication problem in the margins. It’s a governance problem at the core.
Translation isn’t enough
The most common advice for security professionals trying to reach their board is to “translate technical language into business language”. It sounds reasonable. But it’s only half the truth.
Translation solves the problem that the audience doesn’t understand the words. It doesn’t solve the problem that the audience has no basis for making a decision.
A CFO who hears “we need to upgrade our endpoint detection” and understands it’s about intrusion protection still has no basis to say yes or no. What does it cost not to do it? How likely is it? What’s the expected loss?
Without those numbers, cybersecurity becomes a cost to minimise, not an investment to justify. And costs always move down the priority list.
It’s not enough that leadership understands what you’re saying. They need to understand what it costs not to act — in money, in probability, in business impact.
Three rooms, three languages
An organisation doesn’t have one audience. It has hundreds. And they exist in fundamentally different realities. What works in a meeting with IT doesn’t work in the boardroom. What works in the boardroom doesn’t work on the office floor.
The boardroom: decisions need evidence
Leadership teams and boards make decisions based on risk, cost and business consequence. They’re used to weighing investments against returns and prioritising between competing needs.
But cybersecurity is rarely presented in that format. Instead, leadership hears about threat landscapes, technical vulnerabilities and regulatory requirements. All relevant. But none of it answers the question leadership is actually asking: what happens if we don’t do this, and what does it cost?
There’s a pattern that works. Instead of saying “we need better network segmentation”, you can say: “our current exposure represents an estimated loss risk of 8 million SEK per year. This measure reduces the probability from 12 to 3 percent and costs 400,000 SEK to implement.”
Suddenly it’s not a security conversation any more. It’s a business conversation. And business conversations lead to decisions.
Elmesed Smaka made this point recently on LinkedIn: “Translation helps. But quantification wins.” The best communicator in the room can fail to move the decision forward if they don’t put numbers on the risk. Not vague numbers. Real numbers.
As we described in The law won’t protect your business: it’s leadership that must approve risk management measures, verify they work and understand what’s at stake. But to do that, they need inputs they can act on — not information they have to interpret.
Operations: behaviour needs understanding
Out in the organisation, reality looks different. Staff live in tasks, deadlines and everyday decisions. Security competes with everything else that demands attention and almost always loses if it feels abstract.
Behavioural research shows that three factors need to be present simultaneously for behaviour to change: capability, opportunity and motivation. A person needs to be able to do the right thing, have the practical conditions to do it, and understand why it’s worth doing. If any part is missing, you get information without behaviour change.
Petra Jonsson from Secify highlighted this COM-B model in a webinar hosted by Cybernoden on communication strategies for cybersecurity — a presentation that heavily inspired this perspective.
A policy that says “report incidents” won’t lead to reporting if the process takes ten minutes, if the culture signals it’s a hassle, or if the employee doesn’t understand what counts as an incident. We know smoking kills. People still smoke.
What works in operations is concrete behaviours in concrete situations. Not “work securely” but “lock your computer when you leave your desk”. Not “watch out for phishing” but “hit the report button in your email client if something feels off”.
The coordinator: mandate needs visibility
Between leadership and operations, there’s often one person — the information security coordinator — responsible for holding it all together. Without a formal mandate. Without a budget. Without a seat in the leadership group.
That person needs a different kind of communication. Upward, they need to present risks in terms that lead to decisions. Downward, they need to explain requirements in terms that lead to action. And in both directions, they need visibility — because a function nobody sees is a function without influence.
Information isn’t communication
There’s a fundamental distinction that’s often overlooked: sending a message isn’t the same as communicating. Communication requires the recipient to receive, understand and have the conditions to act.
Most security initiatives stop at information. Policies are sent out. Training is delivered. Emails with new guidelines are distributed. Then the organisation assumes the job is done.
But does anyone follow up? Does anyone know whether Kalle in accounting understood? Whether Lotta in customer service found it relevant? Whether the ops team actually changed how they work?
Psychologist James Reason developed the Swiss cheese model, which shows how incidents occur when multiple defence layers fail simultaneously. Communication that never reached the recipient is one such hole. It looks like the defence exists, but in practice it doesn’t work. The organisation only notices when something has already gone wrong.
ISO 27001 addresses this explicitly. The standard requires organisations to define what should be communicated, when, to whom and how — and to demonstrate that communication actually took place. But in practice, communication rarely gets the focus it deserves during an ISO implementation. Technical controls take priority.
Why cybersecurity communication deserves its own strategy
There’s an objection that always comes up: does security communication really need separate treatment?
The answer is that other areas like finance and HR already have universal understanding across the organisation. People grasp budgets and costs and employment law at a basic level. It runs like nerves through the business.
But cybersecurity is still in a different position. It’s confined to a few individuals’ desks. Everyone else is expected not to understand or care. Security communication has an extra barrier: establishing basic relevance before it can communicate specific requirements.
Five components of a simple communication architecture
A communication framework for information security doesn’t need to be large. It needs to be sustainable.
Rhythm. How often do security topics appear in the organisation? Not just during incidents or campaign weeks. Regularity creates recognition. Recognition creates trust.
Voice. How does the organisation sound when it talks about security? Is the tone threatening and legalistic, technical and jargon-heavy, or human and supportive? Voice is about the relationship you want with the recipient.
Reach. Where are people already? Security messages that only exist in policy documents on the intranet reach those who are already looking. You need to be where staff actually are: in Teams, in meetings, by the coffee machine.
Repertoire. A few messages that recur. Not new slogans every time. Recognition over time turns security into something familiar rather than something new to deal with each time.
Response plan. How do you communicate the day something actually happens? When stress is high and time is short. That’s too late to start thinking about tone, responsibility and messaging.
Quantify upward, make it concrete downward
If there’s one pattern running through all of this, it’s this: communication upward needs quantification. Communication downward needs concreteness.
Upward, it’s about giving leadership inputs they can act on. Risks expressed in currency and probabilities. Measures linked to reduced exposure. Not “we should” but “this costs X not to do and Y to implement”.
Downward, it’s about giving operations actions they can perform. Everyday behaviours, not abstract principles. And above all: an explanation of why. Every policy should begin with a short description of why it exists and why it matters to the reader.
The middle segment — coordinators, department heads, system owners — need both. They need to understand the business consequence to anchor upward and the practical meaning to explain downward.
From control to co-creation
How we communicate about security reflects how we see people in the organisation.
If communication is primarily about what people do wrong, what they must stop doing and what consequences await, we signal that security is about control. But most people don’t make mistakes because they want to sabotage. They make mistakes because the system around them doesn’t give them the right conditions.
An organisation that shifts from control to co-creation makes a decisive move. People contribute when they know what to do, when doing the right thing is easier than doing the wrong thing, and when they understand that their actions actually make a difference.
Show that contributions are noticed. Thank people for reporting. Highlight good examples. Give feedback not just when things go wrong, but when they go right.
It doesn’t start with more emails
The problem is rarely that the organisation communicates too little about security. The problem is that communication isn’t adapted to the recipient’s reality, doesn’t lead to action and isn’t sustained over time.
As we noted in a previous analysis: Sweden doesn’t lack expertise, reports or awareness. What’s missing is systemic change.
And that change requires cybersecurity to be communicated as what it actually is: a business question upward, an everyday question downward, and a governance question in the middle.
If your communication doesn’t lead to decisions upward and behaviour downward, you don’t have a communication problem. You have a governance problem that looks like a communication problem.
Need help building a communication structure that reaches the right people with the right message? Contact us for a complimentary assessment.
More insights
Related articles
Alone with the responsibility. The security coordinator who never got a mandate.
One person. No mandate. No resources. That's the reality for information security coordinators in Swedish municipalities.
Your supply chain is your biggest cybersecurity risk – not your size
42 percent of Swedish organisations have low supply chain maturity. Being small doesn't protect you – it makes you the weakest link.