Beyond Translation: How CISOs Lead When the C-Suite Can’t Decide

When the C-suite stalls on security decisions, accountability rolls downhill while strategic direction never flows down. Learn four communication theory-based strategies that help CISOs lead effectively despite organizational ambiguity and competing priorities.

Beyond Translation: How CISOs Lead When the C-Suite Can’t Decide
Photo by @vidarnm on Unsplash

Last week, I was updating my list of resources for a communication and influence workshop with several dozen CISOs. I wanted participants to have solid articles and frameworks they could reference after the session. In doing so, I came across this HBR article: "Managing Your Team When the C-Suite Isn't Providing Strategic Direction" by Jenny Fernandez and Kathryn Landis. It wasn't written for security leaders, but it nailed something I see CISOs struggle with constantly.

The article tackles the familiar problem of what to do when senior leadership keeps stalling on key decisions. When accountability rolls downhill while direction fails to flow down from above? When you're stuck managing both confusion and a restless team?

This isn't just about organizational dysfunction (although, my god, the blog posts I could write about company-wide dysfunction caused by indecisive executives) – it's about the fundamental challenge CISOs face: leading strategically while influencing upward in an environment where security is rarely the top priority.

Four Strategies That Actually Work

Fernandez and Landis propose four strategies for leading when the C-suite can't (or won't) make decisions. What makes them powerful for CISOs is that they're rooted in communication theory, not management platitudes.

1. Reframe Requests and Proposals as Low-Risk

Prospect theory is your best friend here. Daniel Kahneman and Amos Tversky's work demonstrated that people are roughly twice as motivated to avoid losses than to pursue equivalent gains. This loss aversion shapes how executives evaluate risk.

For CISOs: Stop leading with what could go wrong. We've trained ourselves to think in terms of threats, vulnerabilities, and worst-case scenarios. But when you frame every security initiative as preventing catastrophic loss, you trigger the psychological response that makes executives hesitate. They become risk-averse about making any decision, including the one you're proposing.

Reframe your proposals to emphasize how they preserve existing goals while minimizing disruption. Present them as incremental improvements that protect existing business operations rather than major transformations that could destabilize current systems.

In practice: Rather than saying, "Without zero-trust architecture, we're vulnerable to lateral movement attacks that could compromise our entire network," try "This zero-trust implementation protects our current operations by preventing small incidents from becoming company-wide disruptions. It's essentially an insurance policy for the infrastructure investments we've already made."

2. Quantify the Cost of Inaction

While reframing reduces perceived risk, you still need to create urgency. This is where framing effects come into play – the strategic use of loss framing when the goal is to motivate action rather than shape a specific choice.

The research is clear that when you're trying to move someone from inaction to action (rather than choosing between two options), loss frames can be more effective than gain frames. But here's the difference – you're not framing a specific solution as a loss. You're framing inaction as the risky choice.

For CISOs: Create concrete, data-driven scenarios that illustrate the costs of continued inaction. Not theoretical breach scenarios, but operational inefficiencies, competitive disadvantages, or regulatory exposures that are already happening.

In practice: "Our current authentication system is generating 47 password reset tickets per week, consuming approximately 12 hours of IT support time. That's $31,000 annually in support costs alone, before we factor in the productivity loss from employees locked out of systems. Three of our competitors implemented MFA last quarter and are now highlighting it in their SOC 2 reports to our shared customers."

3. Keep Your Team Moving and Motivated

This strategy draws on upward communication theory, which emphasizes that effective leadership isn't just about managing up. It's also about creating communication channels that flow in both directions while maintaining team momentum despite organizational ambiguity.

Research on upward communication shows that teams perform better when they understand why decisions are delayed and how their work contributes to the larger strategy, even when that strategy is still forming.

For CISOs: Your security team doesn't need to know every political battle you're fighting, but they do need to understand the landscape. Share what you can about organizational priorities, competing initiatives, and timeline realities. This transparency builds trust and helps your team make better local decisions while you work on securing company-level buy-in.

In practice: Create regular forums like team meetings, Slack channels, or written updates where you share not just decisions but the context around them. When a security initiative stalls, explain whether it's a budget issue, a competing priority, a stakeholder alignment challenge, or an uncertainty about business impact. This helps your team understand that delays aren't failures, but part of organizational reality.

4. Build Your Influence Up and Across

This connects directly to what we explored in our previous post on "Why Effective Security Communication Starts with Strategy, Not Synonyms."

The HBR article emphasizes building coalitions with peers and finding ways to influence upward strategically – what we call "climbing the Ladder of Inference” – by understanding that influence requires meeting people where they are and systematically addressing each level of resistance.

For CISOs: You can't influence C-suite direction if you only interact with executives during budget season or after incidents. You need ongoing relationships with peer leaders (CFO, CTO, COO, GC, CMO) who can help you understand competing priorities and find opportunities for alignment.

In practice:

  • Schedule informal check-ins with peer executives to understand their current challenges
  • Look for ways your security initiatives can solve their problems (the CFO's audit concerns, the CTO's technical debt, the COO's operational inefficiencies)
  • Share information that helps them succeed, even when it's not directly about security
  • Build a coalition around shared problems rather than security-specific solutions

Why This Matters More Than "Translation"

These strategies are different from the usual "translate security concepts into business language" advice. They're about strategic influence, not vocabulary substitution.

The problem isn't that executives don't understand what "endpoint detection and response" means. The problem is they don't know why they should prioritize your EDR recommendation over the fifteen other initiatives competing for the same budget and attention.

These four strategies – reframing risk, quantifying inaction, maintaining team momentum, and building coalitions – give you a systematic approach to creating strategic direction rather than waiting for it to appear from above.

The Bigger Picture

Fernandez and Landis' key insight: when the C-suite isn't providing strategic direction, senior leaders must step up to flip ambiguity into clarity and keep the organization moving forward.

For CISOs, this isn't an occasional challenge. It's a daily reality. Security rarely drives business strategy; it enables and protects it. You're almost always operating in an environment where security isn't the top priority and strategic direction from senior leadership is ambiguous at best.

The CISOs who succeed aren't the ones who wait for perfect clarity or complain about a lack of executive support. They're the ones who master these influence strategies:

  • They reframe security investments as risk mitigation for existing business operations.
  • They quantify the cost of continuing current practices in terms that executives already care about.
  • They keep their teams focused and motivated despite organizational uncertainty.
  • They build peer relationships that create pathways for influence and alignment.

Moving Forward

As you prepare for your next executive presentation or strategy session, remember that your job isn't to translate security priorities into business language. Your job is to lead strategically while influencing systematically.

That means:

  • Understanding how your proposals are framed from your audience's perspective (prospect theory)
  • Making the cost of inaction more salient than the risk of action (strategic loss framing)
  • Building communication channels that keep your team effective, even when organizational clarity is lacking (upward communication)
  • Creating coalitions that amplify your influence and align security with business priorities (systematic influence)

I first learned these principles as a graduate student in communications at Boston University. They're not just communication tactics—they're leadership strategies grounded in decades of research on how people actually make decisions in the midst of uncertainty.

And isn't that exactly where CISOs operate every day?


Further Reading

If you want to dive deeper into the communication theories that underpin these strategies:

Prospect Theory & Framing Effects:

  • Kahneman, D., & Tversky, A. (1979). "Prospect Theory: An Analysis of Decision Under Risk." Econometrica, 47(2), 263-291.
  • Tversky, A., & Kahneman, D. (1981). "The Framing of Decisions and the Psychology of Choice." Science, 211(4481), 453-458.
  • Kahneman, D., & Tversky, A. (1984). "Choices, Values, and Frames." American Psychologist, 39(4), 341-350.

Upward Communication Theory: