Communicating Risk Intelligence to Stakeholders for Collaborative Remediation

If you tell the sales team that their CRM provider is using an SDK with a known vulnerability, it’s likely they won’t understand how that impacts the business or what they should do about it. But if you were to demonstrate that continuing to use that CRM would present $150,000 of probable financial impact, you’ll likely earn their buy-in and open up a conversation. From there, you can discuss if the business is willing to accept that amount of risk or what action steps can reduce or transfer that risk.

Security professionals must act as interpreters, reframing complex risk intelligence for a variety of different stakeholders. By effectively distilling risk intelligence into relevant and effective strategies, security professionals can foster a company-wide security culture, empower stakeholders to make informed decisions, and improve the organization’s overall cybersecurity posture.

Here’s a breakdown of key stakeholders and how to tailor the way you approach communicating risk intelligence.

Communicating Risk Intelligence with Executive Leadership and the Board

Executive leadership and board members hold significant sway over company-wide priorities, budgets, and resource allocation. Getting their buy-in is imperative for any large-scale remediation efforts.

What they need to know:

• They need a high-level overview of the organization’s overall risk posture and, most importantly, they want to know the potential financial impact of cyber threats.
• In the most severe cases — such as a threat that has the potential to shut the business down permanently — this intel should be communicated with leadership immediately.

How to tailor your message:

• Use clear, concise language and avoid technical jargon.
• Lean into the “why,” explaining how this intelligence informs greater business priorities.
• Implement visuals (i.e., charts or graphs) whenever possible to make complex topics easier to digest.
• Most importantly, quantify risk in financial terms whenever possible. Rather than saying, “This vendor has a C rating, and we need resources to fix it,” you could say, “Based on our quantitative risk analysis, a security breach involving this vendor could result in estimated damages of $65,000. To mitigate this risk, we recommend adopting a specific security control at an annual cost of $10,000. This investment in security measures aligns with the potential financial impact and represents a calculated approach to risk management.”

Communicating Risk Intelligence with The Business Unit Owner

The business unit owner is the leader of the team or department using the vendor who is adding risk exposure to your organization — like the sales team’s CRM from the example above. It’s likely that remediation efforts will cause a disruption to their operations and require resources they feel they can’t spare.

What they need to know:

• If a event could impact their operations, such as a ransomware attack that locks them out of a business-critical tool, and remediation is required.
• When risk mitigation efforts, like re-negotiating contractual terms with the vendor or selecting a replacement tool, are required. This is most likely to succeed if the business unit owner is involved.

How to tailor your message:

• Rather than explaining how a vendor is only 42% compliant with an important regulation, focus on what’s most relevant to their daily operations.
• Quantify the impact of inaction into tangible terms they understand, such as comparing the cost of switching to a new vendor to the (likely higher) costs of downtime should the current vendor experience a breach.
• Prepare clear recommendations for remediation, making sure your asks are the minimum required to lower risk to an acceptable level. 
• If they need to communicate with the at-risk vendor, help them craft messaging and provide data-backed reports to support a productive conversation.

Communicating Risk Intelligence with the At-Risk Vendor

These conversations should be reserved for risks that you can’t reasonably mitigate internally. This might include high-priority risks that will require you to move to a new vendor if remediation efforts can’t be agreed upon or when a breach has already occurred and you’ve exhausted all other sources of information. 

This also may apply to a vendor that your business is considering signing a contract with. Perhaps you’ve vetted their cyber risk profile and have found a risk that your organization doesn’t want to take on. If they’re open to it, you may want to include remediation in the contract negotiation process.

You may also need to conduct deeper due diligence on high-risk vendors, including requesting additional security documentation or conducting on-site assessments. Altogether, this provides a clearer picture of how your third-party risks intersect with your own internal vulnerabilities.

What they need to know:

• What the risk is, how it can be mitigated, and the data behind your conclusion.
• What actions are required to lower the risk to an acceptable level for your business — although, getting them to act on those requests is another matter.

How to tailor your message:

• Approach the vendor with a collaborative tone, as the goal is to minimize risk for both parties.
• Clearly outline the risk and provide the data and sources that were used to come to this conclusion.
• Offer support when possible, and provide resources and suggestions to help them address the risk.

Best Practices to Support Effective Communication

Beyond technical expertise, certain soft skills are crucial to effectively communicating risk intelligence to non-security professionals:

• Understand and tailor your conversation to the audiences’ priorities, including the language you use and the specific concerns or objections that may arise.
• Quantify the potential impact of inaction, both to that specific stakeholder or business unit and to the business at large.
• Don’t overwhelm them with data. Provide just enough to demonstrate the validity of your conclusions.
• Provide specific suggestions to guide remediation efforts. As the security professional, you should be able to provide guidance to make effective decisions to reduce the risk to an acceptable level.
• Suggest a timeline for the remediation efforts that factors in the level of risk, the effort required for remediation, and the stakeholders other obligations. Depending on the level of risk, you’ll need to work together to find a timeline that works for both parties.
• Remember, this is a collaboration. Foster open communication as you work to reach a remediation plan that reduces the level of risk to an acceptable level and requires the least amount of effort by the stakeholder and their team.

Compelling Communication of Risk Intelligence Paves the Way Forward

By tailoring the way you communicate risk intelligence to various audiences, security professionals can transform complex risk intelligence into a powerful driver of organizational change and improve your overall cybersecurity posture. Using language, examples, and data points that resonate with specific stakeholders makes it easier for them to view investments in security as a strategic necessity. Fostering open collaboration also empowers stakeholders to actively engage in risk mitigation efforts.

Be sure to check out our other blogs in this series, Turn Raw Risk Data into a Meaningful Intelligence Report and How to Interpret Your Risk Intelligence Report (the Right Way).

For a deeper dive into all things risk intelligence, sign up for our webinar, Cutting Through The Noise: Using Risk Intelligence To Make Better Decisions.