Why Security Communication Feels So Hard (And What to Do About It)
3:43 PMClaude responded: You've learned to speak the business language.You've learned to speak the business language, but your concerns still get deprioritized. The problem could be the structure of who gets heard. Muted group theory explains why, and what to do about it.
Security and privacy professionals spend a lot of time and energy converting threat models into ROI calculations, privacy risks into brand value metrics, and architectural decisions into shipping velocity. Yet critical nuances still get lost, and important concerns remain deprioritized.
Most advice tells you to improve your translation skills – swapping out technical terms for business jargon. But effective communication is actually about understanding the structural dynamics that make these conversions necessary in the first place, and using that understanding strategically.
Muted Group Theory
Muted group theory originated in anthropology through Edwin Ardener's work in the 1970s, studying how certain groups become structurally silenced within a culture. Feminist scholar Cheris Kramarae later developed the theory to explain women's communication disadvantages in patriarchal societies. Still, the framework's principles can be applied to any group forced to operate within a dominant group's language system. Regardless of which group is dominant, when you don't control the language, you have to work harder to be heard.
According to the theory, dominant groups create the vocabulary, the acceptable topics, and the expectations for what counts as valid arguments. Everyone else must adjust. Understanding this dynamic is an important communication skill – one that fundamentally changes how effective you can be as an advisor.
Businesses naturally develop vocabularies around core functions such as growth, operations, and finance because their focus centers on market opportunity, competitive advantage, revenue growth, operational efficiency, and return on investment. As security and privacy professionals, we often operate in a different conceptual space, centered on protection, resilience, adversarial thinking, systemic vulnerability, and user rights.
Neither language is inherently better than the other, but security and privacy are specialized advisory functions that must constantly bridge into existing business frameworks. And that bridging work – the effort to align and set shared objectives – falls almost entirely on security professionals.
Recognizing this pattern is the first step in an effective communication strategy.
How the Asymmetry Actually Breaks Communication
The translation problem isn't just about vocabulary; it's about what gets lost when someone forces you to express security concerns in terms that weren't designed to hold them.
Consider what happens when a security team identifies a critical authentication vulnerability. It’s an urgent systemic risk that could compromise an entire platform, affecting all users simultaneously. The severity comes from the scope of potential impact and the adversarial probability since attackers actively and relentlessly scan for exactly these weaknesses.
When you translate this into business language, it might look something like: "We need to spend $200K and delay the next feature launch by X weeks to implement MFA." The urgency disappears. It's now one cost-benefit calculation among many, competing with marketing campaigns and product improvements that have clear revenue projections attached.
What broke down? The security assessment operates in a threat model framework, i.e., likelihood of exploitation, blast radius, and adversarial motivation. The business decision operates within an opportunity-cost framework, i.e., known costs vs. projected returns, and the trade-offs between certain delays and potential incidents. Far beyond different vocabularies, these are different epistemologies about what constitutes a sound decision. Security evaluates what adversaries might do given their capabilities and opportunity. The business evaluates what the organization should do, given its available resources and competing priorities. The same vulnerability looks different through each lens.
When you're in the muted position, you're not only translating words to convey meaning in another context, but also compressing your entire reasoning framework into someone else's decision architecture. And in that compression, the structural logic that makes something "critical" often gets flattened into a simple cost.
This is why the standard advice for security professionals to just get better at translating security concepts into business terms isn't enough. Bilingualism will make you more effective, but understanding and working with the organization's structural limitations is where the real wins are. Rather than simply working harder to convert security concepts into business terms, effective communicators recognize this asymmetry and use it strategically.
Communication Strategies
Here are two high-leverage communication strategies to consider once you understand the structural dynamic:
1. Reframe timing, not just content – Instead of arguing harder that the vulnerability is critical or converting it to a simple cost-benefit (losing the nuance of criticality), you can reframe the decision timeframe itself.
"We can implement this in Q2 for $200K, or we can wait until we're responding to an active incident, which historically costs organizations in our sector $2-4M in emergency response, customer notification, regulatory response, and platform recovery – plus the opportunity cost of every product and engineering team stopping their work to address it. The question isn't whether to implement MFA, but whether we want to choose our timing or have it chosen for us."
This works because it translates the adversarial probability (which doesn't compute in business frameworks) into the business-native concept of paying now versus paying more later. Rather than fighting the dominant language system, identify where your framework has natural leverage inside of it.
2. Build decision-making infrastructure before you need it – Muted groups become less muted when they establish their concerns as legitimate inputs before crises force the conversation. This means proactively creating spaces where security reasoning is expected and valued.
A popular asset we’ve created for clients at Discernible is a lightweight "security decision log" to track the security issues they flagged, the business's decisions (including who owns the risk), and what actually happened. Not as a gotcha document, but as organizational learning. When you can say, "In the last eight quarters, we recommended new controls 6 times before an incident and 3 times after an incident. Here's what each path cost," you're no longer arguing from a muted position. You've created a track record that speaks business language while preserving security logic.
Understanding muted group theory fundamentally changes which outcomes you can achieve and allows you to deploy your energy more strategically. Instead of endlessly refining your board deck, you might focus on changing what kinds of questions the board asks. Instead of arguing harder in each product security review, you might work to establish security reviews as a standard phase with different decision criteria.
Most importantly, you stop seeing business stakeholders as obstacles to overcome and start seeing them as partners who face the same structural constraints in how organizations make decisions. Your role exists to help the business pursue its goals, which requires communicating about risks in ways that align with how decision-makers actually make decisions. Understanding the asymmetry helps you do that more effectively while maintaining the integrity of what you're trying to communicate.
Muted group theory won't solve every communication challenge security professionals face. Still, it offers something more valuable than another framework for "translating technical to business" because it explains why that translation is so difficult and what strategic options become available when you understand the underlying dynamic.