Last Updated on February 4, 2025
The ability to communicate effectively is a huge success factor for many executives. As an IT leader, you may be accustomed to thinking in terms of risk. But how well does the discussion go when you âtalk riskâ to a C-suite audience?
Especially when the risk is fuzzy or guesstimated, you could be met with a lot of skepticism (or worse, glazed looks!). How do you counter those tendencies and get your point across?
On a recent episode of The Virtual CISO Podcast, business coach John Sheridan, author of the best-seller, The Perfect Business: Master the 9 Systems to Get Control, Work Less, and Double Your Profit, shared some great advice on how to talk about risk to senior executives in a relatable, compelling way.
As show host John Verry, Pivot Point Securityâs CISO and Managing Partner, notes, âItâs easier to pitch the value creation side of the argument. Because it naturally translates into more easily quantifiable numbers, right? Three more customers, retaining 40% more customersâĤ whatever that might be.â
âOn the risk side, risk is probability times impact,â continues John. âBoth of those are fuzzy things. What would the impact be? How many clients would we lose? Those are hard questions to answer. We might not know that answer. What’s the probability that we’re going to get breached? What’s the probability we’re going to have an earthquake? Some stuff is actuarial table based, but most isn’t in our field.â
CFOâs are People Too
âSo, I think we have to remember, contrary to stories you might have heard, that CFOs are human beings, right? And we are wired for stories,â John Sheridan points out. âSo, I would ask, what’s the great metaphor?â
As an example, John Sheridan cites the brutal winter 2020 storm event in Texas: âTremendously bad things happened because, in large part, they werenât prepared. It was an event they thought would never happen, or maybe was low risk, so why bother investing?â
ââSo, Mr. CFO, I was thinking about what happened in Texas last month, and I was thinking about our exposure. Do you think we ought to be a little more careful about what weâre doing?ââ John Sheridan pantomimes. âIn other words, tie something thatâs relatable into the risk, that is maybe not a number, but that is something they can understand.â
John Sheridan adds: âI view it as analogous to insurance in many ways, right? There’s a range of possible outcomes, and there’s no such thing as 100%. But, I think, in that pitch, not so much telling, more asking. âHow do you feel about this potential outcome? Is this something that you would find acceptable if it happened?ââ
An Acceptable Risk
What about getting somebody to sign off on the risk, if theyâre not eager to mitigate it? As John Verry suggests,
âIt’s like, âHey, my role as InfoSec Director is to identify risk. I’ve identified a risk, which to me looks like it would be unacceptable. You’re saying that you don’t want to fund [mitigating] it, which means you’re saying this risk is acceptable. Am I understanding that correctly? Will you shoot me an email that says that? Because I need to document that we considered this risk, and that you indicated that you didn’t want to mitigate said risk.ââ
âYeah, that’s classic CYA, right? John Sheridan replies. âBut I think you’ve got to choose your tone and your language carefully when you pitch that, right?â
What role could your companyâs processes and procedures play in helping with this? John Verry observes: âIn ISO 27001, as an example, you have this construct of an information security management team. And this governance of an ISMS committee being presented with data, and making a decision. And documenting those decisions is justâĤ that’s the process. And fundamentally, it’s a great process.â
âSo, if I just walked in and said, âWell, you’re going to have to sign off on that.â Yeah, that might not flyâespecially if that guy signs your paycheck,â comments John Verry. âBut, if we’ve architected a process that we agree is the best way to run our company, that kind of protects both of us, right?â
âThink about the consequences of not having that process, and something goes wrong, and the CEO asks the IT chief, âSo what’s our process for this?â There’s shrugs all around, heads roll. So, yeah, absolutely, there’s no substitute for [process]. Not just for the butt coverage aspect of this that we’re kind of joking about. But, just from the practical standpoint of, these are consequences that we are going to face at some point or another. We know that bad things are going to happen, right? This is anticipated. But, without a process, there’s no discipline to address it in any kind of timely, or specific schedule, or in a specific way.â
Whatâs Next?
If youâre an IT or security leader looking to shine in conversations with senior management, youâll love this show with business coach and author John Sheridan.
Ready to hear the show in its entirety? Click here. If you donât use Apple Podcasts, you can access all our podcast episodes here.
