Why risk alone doesn’t get you to yes

I have been in security rooms for years, from military operations centers to corporate boardrooms. In all those years I can tell you that the hardest mission that most security leaders will face is not identifying a threat, but getting someone to act on it.

We’re trained to see exposure before they are identified by others. We continually assess likely threats, evaluate impact, and design controls to prevent disruption long before it reaches operations or shareholders. That’s the job. But here’s what I’ve watched happen, over and over again: a security leader walks into a meeting with a technically sound brief, well-supported recommendations, and a clear picture of the risk. The room nods. The CFO asks for more context. The conversation gets tabled for next quarter.

Nothing happens.

It’s not that they don’t believe the intelligence. They almost always do. The problem is that risk, by itself, informs. It doesn’t compel. And there’s a gap between those two things that we’ve been slow to close.

The translation failure

Executive management sees the world through the lens of accountability. Management is accountable for maintaining revenue flow, regulatory compliance, operational stability, and long-term enterprise value. If we present the exposure without relating it to these issues; then we are communicating in a foreign language.

I’ve witnessed this myself. If you present endpoint coverage at 62%. That communicates precision. But tell a COO that a single unprotected endpoint can stop a manufacturing line from producing for two days, and suddenly you’re in a conversation about operational risk, not IT metrics. The underlying exposure hasn’t changed. What changed is the frame.

This is where a lot of us fall short. As soon as we sense hesitation, the instinct is to pile on more data. More dashboards, more metrics, more slides. It’s the security equivalent of talking louder when someone doesn’t even speak your language. More information doesn’t equal more clarity. Sometimes it buries the decision that needs to be made.

Where the brief breaks down

We can take away some common themes from those conversations with CISOs/CSOs of various industries.

First, we leave objections on the table. The reality for budget, workflow, competing initiatives: All of these realities shape risk tolerance. If you don’t identify obstacles upfront, they’ll surface later as reasons to delay. When you confront the obstacles head-on, you show that you have an understanding of where the organization has its constraints, not just your own threat model.

Second, we focus on the security function instead of the enterprise. When the ask is framed around how much capacity the security team has or how many tooling gaps they have, it sounds like a departmental request. When it’s framed around shared business outcomes, it becomes a strategic conversation. Same request, very different reception. I learned this lesson quickly. We stopped getting traction on executive protection investments until we stopped talking about what our team needed and started talking about what the business was going to lose.

Third, and this is my biggest frustration: we leave the meeting without clearly defining the ask. You’ve laid out the exposure beautifully. Everyone agrees. Meeting ends. Nothing moves. Because you never defined the investment, the owner, the timeline, or the consequence of inaction.

What works

The security leaders who consistently get a “yes” from stakeholders aren’t working with better intelligence. They’re simply using different methods of communication.

They lead with consequence, not configuration. Rather than beginning their discussion with compliance posture or system architecture, they begin by explaining what will happen if the vulnerability is left unaddressed. Examples include operational downtime, lost contracts, customer loss, regulatory audits etc. These types of examples draw attention to the fact that the executive is responsible for these same things.

They connect technical work to business math. Each initiative is a chain: the technical action reduces risk, which ultimately protects a particular business objective. Upgrading an organization’s authentication capabilities isn’t a system improvement. It’s a $200K investment that will reduce the likelihood of account takeovers, which could lose millions. Connecting cause and effect to dollars and cents allows boards to become engaged.

They tailor the message to each stakeholder. A CFO will evaluate the financial exposure and liability. A COO prioritizes uptime. A CMO worries about trust and brand perception. The content of the communication doesn’t change. The entry point does.

And they make the ask precise. Not “we need stronger off-hours protection.” Instead: “I’m requesting two additional overnight guards starting November 1, at a cost of X, owned by Y, because without them we accept Z.” The specificity of the request provides evidence that the security professional has taken time to understand the costs and benefits of the requested remediation. Additionally, providing a specific request provides stakeholders with something to agree or disagree to.

The real mission

Getting organizational buy-in isn’t a soft skill. It’s a core capability. In the military, we understood that intelligence without action is just information. The same principle applies here. The distance between identifying a risk and getting the enterprise to move on it is where security leadership actually lives.

We owe it to our teams, our organizations, and the people we protect to close that gap. Not with more data, but with better translation. Risk tells people what could go wrong. Influence gets them to do something about it.

For more information see The Security Leader’s Playbook for Getting to Yes.