Lost in Translation: Why Security Messages Fail to Land with Business Leaders

The Communication Problem

In a world where the security landscape evolves faster than most organisations can adapt, one issue consistently undermines progress: communication. Not the lack of it – but how it happens.

Across five years of running security and risk training programmes, we’ve seen a recurring challenge. Security practitioners, technically strong and deeply committed, often struggle to communicate security in a way that resonates with business leaders. The result? Frustration, misalignment, and a lack of buy-in from those who hold the power to make change happen.

When a risk owner, board member, or business leader doesn’t see the value in increased security, everything stalls. It’s not a lack of will or intelligence on either side – it’s a translation problem.

Where Security Messages Break Down

Our work has shown five common misfires that consistently derail effective communication:

1. Framing the Message

Security requirements are often presented through a technical lens rather than a business one. Without clear linkage to what the business is trying to achieve – growth, resilience, innovation – the message loses relevance. The key question leaders ask (even if silently) is always: why does this matter to us?

2. Misalignment of Priorities

Practitioners tend to think in terms of security objectives, while business leaders think in terms of outcomes. Bridging that divide means translating controls, risks, and frameworks into tangible benefits that advance the business agenda.

3. The Credibility Gap

When the assessment of impact is too abstract or theoretical, leaders tune out. Business impact needs to be grounded in data and expressed in real terms – financial, operational, and reputational. When it isn’t, security messaging can quickly sound alarmist or disconnected from business reality.

4. The Missing Trade-Off

Security rarely succeeds in articulating the business case for investment. This isn’t a competence issue; it’s a skills issue. Many practitioners are never trained to frame a cost-versus-value conversation. Yet this is the language senior leaders speak fluently. Without it, security remains a cost centre, not a value driver.

5. Speaking in the Wrong Language

Overly technical language alienates non-technical stakeholders. Flooding a conversation with jargon, acronyms, or detail sends a signal that security is ‘for specialists only.’ But security, by nature, is a business-wide discipline. Clarity and relevance always outperform complexity.

The FACTR Communication Methodology

In our Next Generation Security Practitioner programme, we train practitioners to use the FACTR Communication Methodology to address precisely these challenges.

FACTR helps practitioners structure communication around five dimensions: Forces, Attributes, Cascade Effect, Threats, and Risk. It enables security professionals to distil complex technical issues into simple, structured narratives that business leaders understand and act upon.

The goal is not to oversimplify, but to translate. As one of my former Managing Directors once told me:

“I need to know there IS detail, but I don’t need to KNOW the detail.”

That principle has become a mantra for effective risk communication ever since.

From Information to Influence

The shift from information-sharing to influence is subtle but transformative. Security professionals must not only explain what the risk/security requirement is, but also why it matters, what the trade-offs are, and how proposed actions support business success. In other words, security must move from communicating for awareness to communicating for action.

When security leaders master this shift, their voice changes in the room. Conversations become more strategic, decisions more balanced, and investment more consistent.

FACTR Risk Communication Methodology © Évolution Formation & Développement SARL, France | GRC-X 2025.

Final Thoughts

Security communication isn’t about simplifying the message – it’s about amplifying its relevance. When practitioners learn to articulate risk in business terms, the perception of security transforms. From a cost centre to a strategic partner. From an obstacle to an enabler.

That transformation begins with one skill: communicating security through the lens of business risk.

Join the Conversation

Our next Next Generation Security Practitioner International Open Programme begins on 2 December 2025.

Learn the FACTR Communication Methodology and reshape how your organisation understands security.

Author: Matt Kent is Director of Learning & Development at GRC-X, and formerly with the Information Security Forum. With a track record in pioneering GRC training and professional development, he regularly contributes as a thought leader, international congress speaker, and panelist on the future of security leadership.