Executives don’t buy airbags. They buy cars. And employees don’t respond to fear. They respond to clear, approachable communication.

That’s the philosophy of Jeffrey Brown, former CISO of multiple Fortune 500 companies and the State of Connecticut--current CISO Advisor (CSO) for Financial Services for Micorosft--and author of The Security Leader’s Communication Playbook. A former Communications degree graduate and journalist-turned-infosec-leader, Jeff has been operating and reporting on the cybersecurity frontlines since the 1990s. He knows how to bridge the communications gaps between technical risk, business needs, and human behavior.

In this exclusive Hoxhunt webinar, Jeff will share his top communication strategies for CISOs and security awareness leaders — from the boardroom to the breakroom — and his favorite tips for running a meaningful October Cybersecurity Awareness Month campaign. Some topics we may cover include:

🔥 What You’ll Learn

• Jeff’s Top 3 Communication Tips for CISOs
  • Bottom Line Up-Front (BLUF)
  • Knowing your audience: Boards vs. Sales vs. Everyone Else
  • Speaking the language of business risk (cars, not airbags)
• How to Maximize Cyber Awareness Month
  • Fresh ideas to make campaigns engaging and impactful
  • Avoiding “checkbox awareness” traps
  • How to extend awareness into culture year-round
• The Keys to Effective Awareness Training
  • Keep the message continuous
  • Make security approachable
  • Use gamification for engagement
  • Reinforce positive behavior, not mistakes

‍

This was one of our most well-received Hoxhunt webinars, with its perfect timing before Cyber Awareness Month and its playbook-style presentation on how to build upon that momentum with the right comms strategies for better engagement and stronger culture. Jeff shares actionable advice on BLUF (Bottom Line Up-Front), tailoring messages to boards vs. business vs. technical teams, using relatable metaphors (“cars, not airbags”), making reporting easy, building feedback loops, avoiding punitive training, measuring what matters, and practicing crisis communications with clarity and facts.

‍

Topic: How security leaders communicate effectively—from the boardroom to the breakroom—and how to turn October Cyber Awareness Month into measurable, year-round behavior change.

‍

Top takeaways:

• Use BLUF and speak in business risk terms, not security jargon.
• Know your audience and pick the right medium; repeat key messages.
• Drive one-click reporting and reward the right behavior (report, then delete).
• Turn October into 12 months of micro-learning and culture building.
• Give metrics a job (tell a story, drive behavior); combine qualitative + quantitative.
• In incidents, communicate only facts, capture lessons learned, and feed them back into plans.
• Build psychological safety; avoid punitive approaches that suppress reporting.

Q&A Condensed Transcript

Eliot Baker: Welcome, everyone. With Cyber Awareness Month around the corner, communications are top of mind. How do we communicate cyber up and across the organization in ways that engage and influence behavior? Today I’m thrilled to welcome Jeffrey Brown—the veteran CISO who literally wrote the books on leadership, communications, and culture in cybersecurity. He’s served as CISO at multiple Fortune 500s, was the first long-time CISO for the State of Connecticut, and is now a security advisor at Microsoft. Jeff, great to have you.

Jeff Brown: Thanks for inviting me, Eliot—excited for the conversation.

Eliot: We spoke years ago when I reviewed The Security Leader’s Communication Playbook (links in the comms). I highly recommend it—there aren’t many comms playbooks for security leaders, and yours is the best I’ve read. To start, could you share your path—from journalism to CISO?

Jeff: Sure. My background is journalism/publishing with an English minor—lots of communication. While at HarperCollins, I found myself doing IT, realized I preferred it, and taught myself cybersecurity in the ’90s. Journalism was “boot camp” for learning fast and explaining clearly—exactly what cyber demands as tech changes (AI, quantum, etc.). One of my favorite quotes: “If you can’t explain it simply, you don’t understand it well enough.” We often talk EDR, DLP, acronyms—eyes glaze over. We need to translate to risk and action for audiences that don’t live in security. CISOs are among the few roles that must communicate with everyone—from admins to the board.

Eliot: How critical is communication vs. pure technical strength?

Jeff: Critical. Important work crosses teams. You must influence business leaders (e.g., patching custom apps) and also talk to patching teams—two very different conversations. Communication is talking and feedback—confirming people actually understood, not just heard. And you must repeat messages—often 7–14 times—for them to stick.

Eliot: Last time you shared core concepts like BLUF and know your audience, and the metaphor “people don’t buy airbags; they buy cars.” Can you explain?

Jeff: Metaphors make security relatable. Everyone understands cars, brakes, airbags—no need to explain EDR. Businesses don’t exist for security; they exist to deliver value. Brakes = prevention; airbags/crumple zones = mitigation; recalls = incident response; seatbelts = baseline controls; check-engine = diagnostics. You might value safety, but you buy the car—security is an enabler, not the product. The metaphor helps people grasp layered controls and why there are many tools.

Eliot: Cyber Awareness Month is weeks away. What do you recommend for org-wide campaigns?

Jeff: Start with culture. In financial services, tech fluency is higher; in state government, the mix varies. Make messages simple, repeatable, clear, and begin with basics: Do people know how to report an incident? For phishing, don’t just teach “don’t click”—teach “report the phish.” Someone will click eventually; the reporter saves the day. Tailor by audience—tech teams need different depth than business. Great comms is more work for you: refine language, choose metaphors, keep it concise and engaging, and make the process easy (ideally one-click reporting). We overhauled a clunky email/attach workflow and saw usage soar—because it was as simple as Amazon’s “Buy Now.”

Eliot: Any standout CAM examples?

Jeff: When we simplified reporting, we communicated only the new way (no muddying with “old vs. new”). Result: a huge uptick in reports—from ~6 to 1,000 in the next exercise. That’s behavior change you can show to leadership.

Eliot: Measurement seems key.

Jeff: Exactly—create a feedback loop. Email blasts are one-way. Measure behavior (reporting rates, time-to-report) and correlate to your awareness push. Training should hardwire behaviors: how to report, who to call, what to do in emergencies.

Eliot: This is a vendor-neutral show, but I love hearing that reporting focus. It’s what leaders can show to boards: a campaign + a measurable behavior.

Jeff: Also, keep phishing exercises. Some push to stop them, but they train suspicion. Even pros click—especially on mobile and when busy. Avoid punitive responses. Punishment creates hiding, not reporting. We want reward and reinforcement. Reserve remediation for rare, willful cases.

Eliot: You’ve seen punitive programs. Effective?

Jeff: BLUF: Not effective. Examples: a canned voicemail from the CEO telling “you’ve fallen short”—psychologically damaging; or proposals to remove email for 2 weeks after a click. If your click-rate is 10–12% early on, that’d cripple the business. Also, zero clicks isn’t the goal—if it’s zero, your tests may be too easy. With gen-AI, phish quality is rising; aim for progress and trend improvement.

Eliot: Should AI/deepfakes be part of CAM?

Jeff: Yes. People know ChatGPT, but many don’t grasp voice cloning and deepfakes. Voice is no longer a reliable biometric for call-center auth. Use live demos (e.g., “which is the deepfake?”) to gamify learning. Emphasize process verification (callbacks, dual-control for wires). Awareness + practice beats reliance on media “proof.”

Eliot: Cyber doesn’t stop after October. How do you extend momentum to 12 months?

Jeff: Treat awareness as a comprehensive, continuous program: micro-learnings, live sessions, posters, courses—not a checkbox month. Repeat core messages (reporting, incident contacts) because of churn and forgetfulness. Tailor content to actual risk (e.g., travel-loss spiked? Do a laptop-safety push). Integrate with incident response data so awareness maps to what’s really happening.

Eliot: Let’s talk your playbook content—mindset and delivery.

Jeff: Security is a business issue. Use visuals sparingly but purposefully. Resist detail unless the audience needs it. Mindset matters: public speaking is a muscle—practice until comfortable. Know your audience and pick the right medium (some conversations cannot be a text or mass Zoom). For execs, BLUF is critical—open with the decision/request. Many times I’ve led with BLUF and gotten “Great—do it,” and we move on.

Jeff (cont.): Build influence before crises. Security works across divisions; relationships make execution possible. Frame cyber as operational risk; the board understands risk, but you must translate technology into business impact (e.g., claims processing patching to avoid regulatory fines/minute).

Jeff (metrics): Give metrics a job (tell progress, drive behavior). Avoid vanity stats (“5B attacks blocked”). Always answer “So what?” Combine quantitative + qualitative (R/Y/G with numbers). Aggregate over time to tell a trend story (e.g., phishing click from 30% → 5%).

Jeff (crisis comms): Incidents test CISOs. Preparation is key: tested plans, tabletops. Communicate only facts—no speculation—even under pressure. Capture lessons learned and feed back into plans for continuous improvement.

Jeff (culture): Culture will either eat strategy or be a force multiplier. Create psychological safety; partner with the business, don’t be “the department of no.” Reward and gamify the right behavior (we gave phishing-report trophies; employees evangelized the behavior for us). Invest in your team’s growth—training is never a waste.

Jeff (board engagement): Board talks are high-stakes—sometimes “quarterly job interviews.” Be candid, concise, factual. Don’t try to teach every tech detail; focus on incidents, strategy, investments, and progress. When asked “Why not patch everything?” explain risk-based practicality. Never misrepresent; build education over multiple sessions.

Jeff (communication superpowers): Practice makes progress. Pressure-test your message (explain it to a non-security spouse/friend). Active listening is #1—understand their world so you can connect, negotiate, and align priorities. Use storytelling (e.g., Target HVAC third-party example). Say no strategically to protect focus on what matters most.

Jeff (October tips wrap): Use storytelling, tailor messages, analogies, and actionable steps that rewire behavior (reporting, safe laptop use). Favor bite-sized training for engagement; make people look forward to the next installment.

Eliot: Fantastic. Before we wrap, what do you like to see reported to you from security awareness leaders?

Jeff: Close the feedback loop. Short surveys (really short) and behavior metrics. What resonated? What didn’t? Treat feedback as a gift—it enables change. Perception is reality; adjust accordingly.

Eliot: Great advice. Where can people find your books?

Jeff: Amazon and Routledge/CRC Press. The Security Leader’s Communication Playbook is for all security leaders, not just CISOs. Leading the Digital Workforce is broader IT leadership with lots of security relevance—including leading yourself first so you can lead others. I write actionable books—immediately useful, not theory tomes.

Eliot: You’re one of the most natural CISO communicators I’ve engaged with. Highly recommend Jeff’s books. Jeff, thanks so much—this was packed with value.

Jeff: Thanks for having me—great conversation.

Eliot: Likewise. Appreciate your time!

‍

‍

‍

🧠 Who Should Watch

• CISOs and security leaders
• Security awareness & training managers
• HR & internal comms professionals
• Anyone planning Cyber Awareness Month campaigns
• Leaders who want to build a stronger security culture

‍