How do you communicate security risks to your stakeholders without coming across like a scare tactic?

Top Answer : I clearly state to “Respect the mountain”. We can do everything right and still be unable to fully ascend. How do we communicate COVID-19 risks without coming across like a scare tactics? Same idea. Threats can be mitigated not necessarily neutralized.

Blue USB Stick
Educational Services
I clearly state to “Respect the mountain”. We can do everything right and still be unable to fully ascend. How do we communicate COVID-19 risks without coming across like a scare tactics? Same idea. Threats can be mitigated not necessarily neutralized.
2 upvotes
Yellow Monitor
Oil, Gas and Mining
One approach can be by highlighting real world incidents resembling the security risks faced by the organization. To be frank, security risks are best understood when things happen to us and not before. So, it is important to make them visualize in that position (which again will appear as a scare tactic of sorts).
1 upvotes
Red Processor
Educational Services
I typically break it down to a conversational level that they can easily understand. Like using their household as an example of a potential breach, or vehicle locking mechanism. etc..  You have to be able to connect with the audience or you lose them.. Hopefully when you have to relay risk, you have already built a relationship with them to have those conversations.
1 upvotes
Orange Hard Drive
Software
Use FAIR. It is a powerful methodology and helps the CSO/CIO/CTO speak and communicate to the board and senior management in a language they understand.   https://www.amazon.com/gp/product/0124202314/ref=as_li_tl?ie=UTF8&tag=benrothkswebp-20&camp=1789&creative=9325&linkCode=as2&creativeASIN=0124202314&linkId=7fd85f49d934fa56b8adaec873bf290c
0 upvotes
Red Terminal
Software
By first communicating in a common, business oriented language that all stakeholders can understand. Then it's about proper context that security risks are not static, but elastic and it's not a binary situation of either being 'secure' or 'not secure', but rather how resilient your systems, networks, and employees are and having crisp plans of communication and remediation.
1 upvotes