Cyber risk must be communicated before it can be managed

Communicating to reduce the risk 

Cyber risk goes far beyond technical equipment; today, it involves cognitive and organizational factors. Attackers rely on persuasive techniques to get an employee to click, a manager to break a rule, or senior management to take urgent action. CIOs are now up against strategic experts in the art of influence. So when it comes to messages, judgment calls, and human decision-making, that’s exactly where CIOs must act to reduce risk across the company.

We are seeing a growing number of communication training courses aimed at CIOs and CISOs. That’s no coincidence. More than a mere soft skill, communication is now a prerequisite: a new skillset to draw on to change habits, create automatic responses, normalize doubts, and encourage reporting.

And just like any good advertisement, it’s not the information that matters: it’s the storytelling and the impression it makes. Its power doesn’t lie in what it explains, but on the impact it has. We are more likely to remember Christelle from the marketing department, whose salary was paid into the wrong account on two different occasions, than the email from the IT department urging us to look out for email scams.

This isn’t about telling people what to do. The first step is to create a lasting memory to counteract the element of surprise when the situation arises again.

A good story is never unique 

The impact of a message depends as much on its content as on its adaptability to its audience.

The real key to engagement lies in the skill of telling the same story while tailoring it to various audiences.
 To engage different employees, the CIO must be able to translate risk into impacts and emphasize why it matters to each party. When speaking to the executive committee, the reactions to the statement that “We have discovered an RCE vulnerability on a server that supports critical activity” won’t be the same as the reactions when hearing that “Protecting these servers is a Level 1 priority which requires swift action to ensure customer satisfaction, avoid significant financial penalties, and maintain the support of our investors in the event of an incident.”
In one example, information is shared; in the other, a decision becomes possible. As the interface of the entire system (management, business lines, subsidiaries, IT, partners), the CIO must identify what triggers a reaction and, through a trickle-down effect, sparks action. The CIO’s role is no longer limited to deploying solutions or enforcing rules. Instead, it involves using the right tools, at the right level, to elicit appropriate behaviors, transforming isolated actions into a shared culture of risk.

The issue is bandwidth, rather than motivation

The ability to communicate effectively is becoming an integral part of the CIO’s role in risk management. Storytelling doesn’t replace tools or safeguards, but gives them collective reach, influencing behavior far beyond the world of IT.

One major issue still needs to be addressed: the bandwidth required to tackle these issues in roadmaps and diaries that are already pretty full. There is genuine awareness that risk management must be carried out at company level. But CISOs are already under pressure and most do not feel sufficiently supported by management. The answer may lie in working with a third party to address these issues in the long term.