Bridging the Cybersecurity Communication Gap Between IT Directors and Business Leaders

The cybersecurity landscape has become a complex battleground, with adversaries constantly evolving their tactics and leveraging sophisticated tools to increase the volume and effectiveness of attacks. In 2023, over half (55%) of cybersecurity professionals reported an increase in cyberattacks year-over-year,¹ and most directors (65%) still believe their organizations are at risk of a material cyberattack within the next 12 months.²

Artificial intelligence (AI) is a significant, unpredictable variable because cybercriminals can utilize its advancements to probe and exploit digital systems at scale. A recent report found that 97% of cybersecurity professionals are concerned that their organizations will suffer an AI-generated incident and 75% had to change their cybersecurity strategy in the last year due to the rise in AI-powered cyber threats.³

These pervasive and rapidly evolving threats underscore the critical need for IT teams to consistently assess and adjust their approach, but only 36% of cybersecurity professionals state that their budgets are appropriately funded.¹

With IT professionals sounding the alarm, why do 76% of board members believe that they’ve made adequate investment in cyber protection?²

The answer is ineffective communication.

A serious disconnect exists between IT experts and business leadership when it comes to cybersecurity strategy alignment. This discrepancy can lead to complacency, underinvestment and bureaucratic bottlenecks that increase the risks of security breaches.

To overcome communication challenges, it’s essential to establish regular, transparent touchpoints between IT and the C-suite. Read on for some practical steps to bridge this communication gap and build a more resilient cybersecurity strategy.

Communicate Like Your Company Depends on It

How can we bridge this communication gap and build a more resilient cybersecurity strategy? It starts with establishing regular, transparent touchpoints between IT and the C-suite.

Cyber Risk Assessments are a popular way to align leadership around an organization’s risks and recommended mitigation approaches, but the Information Systems Audit and Control Association found that only 28% of organizations conduct them at least every 6 months;¹ a lifetime in the cybersecurity world.

Frequent cybersecurity reporting cadences should be established. Some companies have even created business-IT steering committees that can be more responsive towards the rapidly changing landscape by aligning priorities and approving budgetary needs with greater flexibility.

Translate Security Data into Business Data

Great communication is both timely and clear. Business leaders and IT experts need to speak the same language to have effective conversations. There will always be some degree of cyber risk, but determining the ROI of risk mitigation (level of risk to the business ÷ investment needed to mitigate risk) translates technical risks into financial terms.

Cyber Risk Quantification is the Rosetta Stone between cybersecurity teams and business leaders. It’s a process that aims to say: “A breach or failure in this area of our digital ecosystem could cost us $X with a Y% probability.” Cyber Risk Quantification allows the cybersecurity team to more easily have the “ROI” conversation with leadership by helping them understand the benefits of risk avoidance. With companies’ increasing reliance on digital for functions like business logistics, employee operations and customer interactions, the ROI of systems reliability is typically much better than many business leaders realize.

To initiate Cyber Risk Quantification assessments in your organization, you first need to align on the monetary value and security vulnerabilities of each digital asset. After analyzing your current security posture, you can outline the likelihood of each vulnerability, quantify the amount of at-risk business and define how much solutions would cost. The output is a ROI-based prioritized list of ways to strengthen your security posture.

Example of Cyber Risk Quantification in Action

Let’s use a hospital’s patient database as an example of a digital asset. Some of their risks would include lost current revenue due to downtime, HIPAA violation fines and lost future revenue due to reputational damage. To combat these risks, they could invest in a more secure network, advanced ransomware detection, multi-factor authentication tools, phishing training, data encryption and more.

If the hospital determines that their current security posture has vulnerabilities that present a 10% chance of a DDoS attack, an 8% chance of a ransomware attack and a 5% chance of a phishing attack, then they can calculate which solutions would be the highest priority investment based on ROI. For example, if the potential impact of a DDoS attack is $1 million per year and the likelihood is 10%, the risk can be valued at $100,000, and investing $20,000 to improve DDoS defense would yield an ROI of 5.

To power these data-driven analyses, you can utilize cybersecurity analytics tools that are provided by advanced cybersecurity solutions. For instance, Lumen Defender provides dual benefits of intercepting network security threats using machine learning and delivering detailed threat insights in a comprehensive analytics dashboard.

By translating technical risks into financial terms, IT and business leaders can have more effective conversations. Next, we’ll explore how to turn these plans into reality by ensuring the necessary resources.

Resource Allocation for Effective Communication

With the need for relatively frequent communication, exercises like Cyber Risk Assessments and Cyber Risk Quantifications can easily become cumbersome due to the deluge of cybersecurity data that exists. Cybersecurity teams need to quickly surface the most pertinent data for these analyses by building data feeds and visualization tools that consolidate multiple sources.

Effective storytelling goes beyond data to emphasize the highest priority takeaways, highlight trends and demonstrate the effectiveness of security investments in language that both IT teams and business leaders understand.

The challenge is that IT teams need the resources to maintain tools and invest time for these communication-focused tasks. However, the persistent IT talent shortage makes it difficult to recruit and retain skilled cybersecurity professionals. In 2024, well over 50% of cybersecurity roles were left vacant.¹

So how can your organization communicate effectively if building a team is so difficult?

Many organizations are using managed security services teams to fill various roles, including strategic security assessments, security implementation services and 24/7 security monitoring. These managed services companies benefit from economies of scale, enabling them to invest significantly in training talent and developing advanced tools to assist their client base. You can leverage them to either gain access to expert cybersecurity assessments or free up your internal team to conduct assessments themselves.

Lumen Can Advance Your Organization’s Cybersecurity Effectiveness

Approaching cybersecurity for long-term success requires IT teams to consistently and clearly communicate with business leaders. Cyber Risk Assessment and Cyber Risk Quantification are foundational practices to translate IT risk into business risk, but IT teams are often inhibited by tools that present endless amounts of cybersecurity data and insufficient resources to turn that data into a story.

To help your cybersecurity team move towards more effective communication, Lumen offers advanced security solutions with comprehensive analytics dashboards, along with managed services to help alleviate resourcing bottlenecks.

Explore how Lumen security services can help weave cybersecurity into the fabric of your business.

¹ISACA, State of Cybersecurity 2024, 2024.
²Harvard Business Review, Boards Are Having the Wrong Conversations About Cybersecurity, May 2, 2023.
³Deep Instinct, Generative AI in Cybersecurity: Friend or Foe?, 2024.

This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue. Services not available everywhere. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2025 Lumen Technologies. All Rights Reserved.