A CISO’s Playbook for Security Comms (with Jeffrey Brown)

In this episode of All Things Human Risk Management, host Eliot Baker sits down with veteran CISO and author Jeffrey W. Brown to unpack a practical playbook for communicating security so it actually influences behavior, budgets, and board decisions.

‍

The new mandate for security leaders

Security is a business issue and CISOs must communicate across every audience - from admins to the board. Keep messages at the right altitude for who’s in the room.

“Connect at the level your audience needs - resist the tech deep-dive.”

‍

BLUF to boardroom

Lead with the decision/request, then the why. BLUF shortens exec conversations and speeds outcomes.

“Put the bottom line up front - sometimes that’s all they need.”

‍

Make risk real (in business terms)

Boards understand risk - credit, market, operational. Frame cyber as operational risk with concrete impact (e.g., dollars per minute if a claims system is down).

“Translate ‘patch CVE’ into ‘avoid fines and downtime in system X.’”

‍

People don’t buy airbags - they buy cars

Use simple metaphors to explain layered controls (brakes = prevention, airbags = mitigation, recalls = incident response). It’s memorable and non-technical.  

“Metaphors make security relatable and sticky.”

‍

Culture as a control

Psychological safety beats punishment. Reward the right behavior and make reporting a social norm (even trophies or recognition).  

“Job well done isn’t deleting the phish - it’s reporting it.”

‍

Reporting > Don’t Click (and instant feedback)

Design communications that build a report-button habit and close the loop fast with user feedback on real threats.  

“Reinforce the behavior in the moment it happens.”

‍

Relevance and repetition

Send messages that match actual risks (tie to IR data) and repeat core points 7-14 times to make them stick.  

“Simple, repeatable, relevant beats one big October blast.”

‍

Channels, cadence, and clarity

Use visuals and concise language; mix depth for mixed audiences but avoid unnecessary detail.

“Right message, right medium, right amount.”

‍

Feedback is a gift

Close the loop with short surveys and qualitative input; perception is reality, use it to refine.

“Bad feedback beats no feedback - iterate the message.”

‍

Crisis communication that holds up

Have a tested IR plan, speak only to facts, and avoid speculation under pressure.  

“Tabletop before the breach; in the breach, stick to verifiable facts.”

‍

Metrics with a job

Ditch vanity counts (“5B blocks”). Give each metric a purpose: tell progress, drive behavior, or inform a decision - paired with a narrative.  

“If you can’t answer ‘so what?,’ it’s the wrong metric or the wrong story.”

‍

Takeaways you can implement this quarter

• Ship a one-page BLUF template for exec updates and board decks.
• Launch a Report > Don’t Click micro-campaign with recognition for reporters; add instant feedback on real-threat reports.  
• Add the car safety analogy to all-hands and manager briefings to explain layered defense.
• Tie awareness topics to current incidents (IR → comms loop) and repeat key behaviors throughout the year.
• Replace vanity KPIs with behavioral ones (verification/reporting rate, time-to-report) and pair each with a short story.