CISO Communication Playbook
Technical controls and human behavior are two sides of the same security coin. CISOs who master both domains build more resilient security programs that withstand evolving threats and organizational pressures alike.
How Psychology and Communication Research Can Transform Frustration into Influence
Cybersecurity has transformed from a technical specialty into a strategic business function. What separates exceptional security leaders from the rest? Communication expertise.
CISOs who apply what we’ve learned from communication scholarship don't merely draft requirements — they shape behaviors, influence decisions, and transform organizational norms that determine security outcomes.
Successful CISOs develop communication competence throughout their entire security organization by elevating cross-functional collaboration, influencing without authority, and adopting soft skills as core competencies. They understand that technical controls and human behavior are two sides of the same coin, and CISOs who master both domains build more resilient security programs that withstand evolving threats and organizational pressures.
The Communication Gap in Cybersecurity
Board-level visibility for cybersecurity continues to increase, but many CISOs still struggle to translate technical concepts into language that resonates with business leaders. At the same time, security teams face persistent challenges influencing business decisions and organizational behavior.
Behind these challenges lies a fundamental misunderstanding of how effective communication actually works. Most security communication efforts rest on three flawed assumptions:
- Providing information leads to understanding
- Understanding produces agreement
- Agreement generates action
Contemporary communication research and scholarship dismantle these assumptions and offer better approaches. In our monthly newsletter, we explore contemporary communication theories specifically for security professionals. Let's examine a few of those frameworks that can transform your security program's effectiveness.
Risk Communication: Why Your Security Messages Fail
Have you ever meticulously crafted security guidance only to watch executives or employees ignore it? Risk communication research explains why.
The Extended Parallel Process Model (EPPM), developed by Kim Witte, demonstrates that effective risk messages must balance two key elements:
- Threat messaging: Communicating the severity of and susceptibility to a threat
- Efficacy messaging: Providing clear, actionable steps that individuals can take to mitigate the risk
When security communications emphasize threats without providing adequate efficacy information, they trigger what researchers call "fear control" rather than "danger control." Instead of taking protective action, recipients focus on managing their emotional response—often through denial, minimization, or avoidance.
This explains why fear-based security communication programs frequently backfire. People don't ignore security guidance because they're lazy or uncaring; they ignore it because the communication approach triggers psychological defense mechanisms.
Smart CISOs apply this research by:
- Balancing messages about cyber threats with clear, achievable security actions
- Ensuring people feel empowered rather than overwhelmed
- Testing messages to verify they produce the intended response
Diffusion of Innovations: A Roadmap for Security Adoption
Introducing new security technologies or processes often feels like pushing a boulder uphill. Diffusion of Innovations theory, pioneered by Everett Rogers, explains why—and offers a framework for success.
This theory identifies five characteristics that determine adoption rates:
- Relative advantage: How improved the innovation is over what it’s replacing
- Compatibility: How consistent the innovation is with the values, experiences, and needs of potential adopters
- Complexity: How difficult the innovation is to understand and use
- Trialability: The extent to which the innovation can be experimented with on a limited basis
- Observability: How visible the results of the innovation are to others
When security teams focus exclusively on technical capabilities without considering these factors, they virtually guarantee resistance. By contrast, CISOs who leverage diffusion theory can strategically position security initiatives for success.
For example, when implementing single sign-on (SSO), effective security communication looks like this:
- Demonstrate clear advantages by highlighting both security benefits and user convenience
- Ensure compatibility by selecting solutions that integrate with existing applications and identity stores
- Reduce complexity through carefully constructed information hubs, employee communications, and intuitive login experiences
- Enable trialability through controlled rollouts to specific groups
- Increase observability by showcasing metrics on reduced login times and helpdesk ticket volume
Organizational Rhetoric: Speaking the Language of Business
One of the most common complaints about security leaders is that they struggle to communicate in business terms. Organizational rhetoric studies provide insights into how to frame security needs in language that resonates with executives and boards.
Research by scholars like George Cheney and Cynthia Stohl shows that successful organizational communication requires alignment with dominant value systems and discourse patterns. For security leaders, this means translating security concepts into the frameworks that drive business decisions.
Effective CISOs leverage this research by:
- Mapping security initiatives to strategic business objectives
- Quantifying security risks in financial terms
- Using narrative structures that mirror how other business cases are presented
- Adopting the linguistic patterns and metaphors common in executive communications
When security is positioned as an enabler of business goals rather than a cost center or obstacle, it receives greater support and resources. Essentially, we’re translating between different professional languages.
Media Richness Theory: Choosing the Right Channel
In the digital age, security leaders have countless communication channels at their disposal: email, Slack, video conferences, in-person meetings, team collaboration platforms, and more. Media Richness Theory, developed by Richard Daft and Robert Lengel, provides guidance on which channels work best for different types of security messages.
The theory posits that communication channels vary in their capacity to handle ambiguity and facilitate understanding — this is referred to as their "richness." Richer media provide more immediate feedback, support multiple communication cues, allow for personal focus, and permit language variety.
Security communications often fail when there's a mismatch between the message's complexity and the medium's richness. For example, explaining a nuanced security policy change via email (a relatively lean medium) may lead to confusion and misinterpretation.
Savvy CISOs apply this theory by:
- Using richer media (in-person or video meetings) for complex or potentially controversial security messages
- Selecting leaner media (email, documentation) for straightforward, unambiguous information
- Considering the emotional implications of security communications when choosing channels
- Creating deliberate communication cascades that use multiple channels for critical security initiatives
Psychological Reactance: Understanding Resistance
When users circumvent security controls or ignore security policies, they're often exhibiting what communication researchers call psychological reactance, a negative reaction to messages or mandates that threaten their sense of freedom and autonomy.
Developed by Jack Brehm, the Reactance Theory explains why heavy-handed security measures often backfire, leading to greater risk-taking rather than compliance. When individuals feel their choices are being restricted, they become motivated to reassert their freedom even if doing so is counter to their own interests.
Forward-thinking security leaders mitigate reactance by:
- Providing clear rationales for security requirements
- Offering meaningful choices within security constraints
- Using autonomy-supportive language ("you might consider" vs. "you must")
- Acknowledging the legitimacy of concerns about security friction
This approach doesn't mean compromising on security standards. Rather, it means implementing those standards in ways that respect user agency and minimize psychological resistance.