The financial services sector has known for some time that cybersecurity leaders’ communication skills have impact far beyond the IT department. Cyber leaders’ ability to explain risks and technology in business terms influences day-to-day operations, long-term business stability, and ultimately, our customers’ trust.
But business is evolving, cybercriminals are increasingly sophisticated, and risks like fraud are on an upswing. Today’s leaders need more advanced strategies than avoiding technical jargon in board reports. In my experience as both a cyber risk executive at a large global bank and a CISO at a mid-size bank, there are six advanced communication strategies – from quantifying the business value of risk mitigation to discussing mistakes tactically – that can amplify your influence and impact.
Employing the strategies below will help you manage risk better. That’s important in the complex business environment of financial services. But these strategies can help you shape a stronger, more resilient security culture across your organization as well – and it starts with a key concept from one of the world’s greatest strategists.
“Every battle is won before it's ever fought.” — Sun Tzu, The Art of War
If your primary communication channel is a board committee, you are probably not communicating effectively. Use the following three techniques to begin your executive reporting before you reach the boardroom and prepare your battlefield for success.
Quarterly cybersecurity program briefings for managers below the senior executive level. Update managers who don’t normally attend security briefings to build support for cybersecurity programs within their business units. That support will filter up to more senior leaders.
1:1 cybersecurity meetings with executives. Meet with top leaders to review major program changes or discuss your cyber roadmap. By getting feedback in private and addressing their concerns you build relationships and they get a more holistic understanding of risk. Most importantly, these executives will feel that you are listening to them and are concerned about their needs.
Weekly transparency reports: Send a short weekly operational update to a select group of key executives every week. It builds confidence in the security program and adds visibility. This report may take time to create at first, but updating it weekly is simple.
Senior executives care about topics like team leadership and efficiency, not just risk, because those issues impact the business. Discussing these areas, in addition to risk, shows that you share the concerns of other business executives.
For example, highlighting team leadership in your communications frames your focus on workforce capabilities, cross-functional teamwork, and skill gaps. Similarly, discussing efficiency can bring attention to your continuous process improvement efforts.
These can be very compelling and relatable topics for business executives. They also demonstrate that you are a well-rounded leader who thinks beyond cyber risk, which elevates you from a technical manager to a leader.
It’s not always possible to quantify value in financial terms, but you should always be able to highlight value in business terms. Explain what your work means, strategically and quantifiably, for people outside the security team.
For instance, customer identity access management tools reduce threat exposure but they also speed up new customer onboarding. Cloud security programs reduce risk, and they boost customer confidence in new initiatives like open banking or online business projects.
Thinking about the business value of risk mitigation helps you communicate business alignment, not just risk metrics. That can help you gain traction with people who don’t think about risk quantification tools and models the way you do.
Being transparent about mistakes isn’t just a cultural value CISOs should support– transparency can also demonstrate professional confidence, integrity, and a focus on continuous improvement.
Acknowledging security mistakes and highlighting lessons learned allows you to emphasize how your team was able to make adjustments that advanced your cybersecurity. To avoid alarming executives, I recommend explaining how the mistake improved your approach and avoided significant harm.
The key is to communicate your team’s commitment to security improvement – which will be invisible if you bury minor problems in your reporting.
Effective cybersecurity programs require a thoughtful, long-term approach, not a rushed reaction. When I became CISO at First Hawaiian Bank, I delayed presenting preliminary updates or significant plans for my first six months. Then I presented a refined, business-aligned, and effective format that outlined multi-year roadmap targets with detailed milestones.
If you feel pressure for quick wins, focus on business-as-usual activity and highlight the interim improvement steps you’re taking. If you go slow in planning, you can go fast later – and implement your plans with confidence.
Compelling presentations emphasize your professionalism. Even if your financial firm has a defined presentation format, visual clarity and concise, well-designed materials set you apart as an executive. Don’t crowd too much information into a small space. (Less important material can be moved to an appendix.) Use a consistent visual style – I color-code slides for each risk or topic with clearly defined pages.
Your skills as a presenter matter too. Often, junior managers show their lack of practice and comfort by reading slides, avoiding eye contact, and stumbling through their presentations using poorly phrased expressions.
I know that public speaking can be difficult – I tend to be introverted myself – but it’s a skill that leaders must acquire to be seen as professionals.
My final advice for successful reporting isn’t about communication, it’s about community. In short, get involved. Don’t isolate yourself. Lean into the security community, share new ideas, and get help from peers to become an effective communicator.
Security leadership is not just about managing threats — it’s about influencing, communicating, and shaping the organization’s security culture. Mastering these skills ensures that your message is heard, your program is supported, and your security efforts make a lasting impact.
More from Adam Palmer in Insights:
To a cybersecurity leader, effective communication isn’t just about imparting information. It’s a way to manage risk and influence operations by speaking to executives and managers in their language (and listening to them closely), building a strong security culture by making plans thoughtfully and holistically, and earning the trust of other leaders with professionalism and transparency. By advancing their communication skills, cybersecurity leaders can impact the entire financial firm, including business operations, stability, and customer trust.
May 2025
© 2025 FS-ISAC, Inc. All rights reserved.
Listen on
Adam Palmer, (MBA, JD, CISSP), is the CISO at First Hawaiian Bank where he leads all cybersecurity operations. Adam is a former U.S. Navy Officer with 20 years of cybersecurity experience. Adam...
Read Morelived for 10 years in the European Union (EU) where he worked for large multi-national organizations. He has also worked extensively in the Asia-Pacific region. Adam is currently based in Honolulu, Hawaii.
© Copyright 1999 - 2025 FS-ISAC, Inc. All Rights Reserved.