CISOs must speak business to earn executive trust

In this Help Net Security interview, Pritesh Parekh, VP, CISO at PagerDuty talks about how CISOs can change perceptions of their role, build influence across the organization, communicate risk in business terms, and use automation to support business goals.

What do business leaders most often misunderstand about the CISO’s role, and how can security leaders correct those perceptions?

Too often, business leaders view cybersecurity solely as a defensive function that can slow innovation when in reality, it’s constantly being shaped by evolving technology and the shifting technology landscape. Security had to evolve as the world grew cloud-based, and modern security is now about enabling speed and business growth.

When security is done right, we’re actually accelerating the business by eliminating manual checkpoints and replacing them with automated guardrails. My team focuses on automating responses rather than creating bottlenecks. We demonstrate our value by showing how our automated security responses have prevented business disruptions while allowing development and operations to move faster.

The most powerful way to correct misconceptions is with data, particularly metrics that show how our security programs reduce risk and drive operational efficiency. When executives see that we’re protecting the business while making it more agile, their perception shifts dramatically.

How are leading CISOs building influence beyond the IT department, to become trusted advisors to the CEO, CFO, or even customers?

The key to building broader influence is translating security into business impact language. I’ve found success by guiding conversations around what executives and customers truly care about: business outcomes, not technical implementations.

When I speak with the CEO or board members, I discuss how our security program protects revenue, ensures business continuity and enables growth. With many past breaches, organizations detected the threat but failed to take timely action, resulting in significant business impact. By emphasizing how our approach prevents these outcomes, I’m speaking their language.

I’ve also found that embedding security into core business operations builds natural influence. When security becomes an integrated part of engineering and operations rather than an external checkpoint, you naturally gain a seat at the table for strategic discussions.

What kind of communication or storytelling skills are now essential for CISOs who want to make their case to the board or executive team?

The most effective CISOs use concrete scenarios and real-world examples that translate technical concepts into business outcomes. When I speak to our board, I don’t present abstract threats. I walk through specific scenarios that highlight potential business impact, such as “Here’s a situation we prevented last quarter that could have resulted in X hours of downtime and Y dollars in lost revenue.” I’ve also found that using analogies from other business domains helps executives grasp security concepts.

Data visualization is also critical. Executives don’t want to read dense technical reports. They need clear visualizations that show trends, prioritization and business impact at a glance.

Can you share an example of a CISO who successfully shifted from being seen as a “department of no” to a strategic enabler? What made that transformation work?

Successfully shifting a security organization from being perceived as the “department of no” to a strategic enabler requires a fundamental change in mindset, engagement model and communication style. It begins with aligning security goals to the broader business strategy, understanding what drives growth, customer trust and operational efficiency. Security leaders must engage cross-functionally early and often, embedding their teams within product development, IT and go-to-market functions to co-create secure solutions rather than imposing controls after the fact. This proactive, partnership-driven approach reduces friction and builds credibility.

Equally important is how security communicates risk, framing it in terms of business impact, opportunity cost and customer experience rather than technical jargon or fear-based messaging. Measuring success through metrics that resonate with the business, such as reduced time-to-market, risk-adjusted innovation or improved customer trust, helps demonstrate value. Ultimately, the transformation succeeds when security is seen as a trusted advisor that enables innovation while safeguarding the business.

How do you approach conversations about risk appetite and tolerance with other business leaders, especially when your priorities may not fully align?

Effective risk conversations start with data and business context. I’ve found the most success by first understanding what drives value for each function, then quantifying how security risks could impact those priorities.

For example, when discussing automated response systems with business units concerned about customer experience, I focus on how security automation can actually prevent customer-facing outages rather than just preventing breaches. The key is translating security risks into the metrics that matter to each stakeholder, whether that’s revenue impact, customer retention or operational efficiency.

When priorities don’t align, I present multiple options with clearly articulated trade-offs rather than a single secure path. I might say, “Here’s our recommended approach with minimal risk, but here are two alternatives that balance speed and security differently.” This positions security as a collaborative problem-solver rather than an obstacle, and it respects that different business functions may have different risk tolerances.