GRC

Stories Over Spreadsheets: Why Security Leaders Need to Change How They Communicate

|

Updated:

|

Published:

Dark blue graphic with yellow and white text: On-Demand WEBINAR: Stories Over Spreadsheets—The Psychology of Selling Security. The design, featuring circuit-like lines and dots in the background, highlights strategies for communicating cybersecurity risk to executives effectively.

Security leaders don’t usually lose budget because their recommendations are wrong.

They lose support because they’re telling the wrong story.

Every day, security, risk and GRC professionals present compelling evidence: vulnerability reports, risk scores, compliance findings, threat intelligence and dashboards filled with metrics. Yet despite all that data, many struggle to secure executive buy-in for critical initiatives.

The problem often isn’t the recommendation itself. It’s how it’s communicated.

In a recent Onspring webinar, Stories Over Spreadsheets, Ames National Corporation Information Security Officer and Cybersecurity Engineer Kyle Hauswirth shared a different approach. Instead of relying on technical details and fear-based messaging, he encourages security leaders to frame cybersecurity in terms executives already understand: business outcomes, shared goals and compelling narratives.

Data Doesn’t Drive Decisions. Stories Do.

Security teams spend years developing technical expertise. Naturally, that’s the language they speak. Executives don’t. Boards, CEOs and business leaders think about strategic priorities, financial performance, customer trust and organizational resilience. While security professionals often present controls, vulnerabilities and acronyms, executives are evaluating risk through an entirely different lens. That disconnect can make even the strongest business case fall flat. Rather than overwhelming decision-makers with technical evidence, effective communicators translate security initiatives into business value. Instead of explaining how a security tool works, explain what business problem it solves. Instead of leading with technical features, lead with organizational outcomes.

Fear Isn’t Always the Best Motivator

Cybersecurity often relies on worst-case scenarios to justify investment. A breach could cost millions. Ransomware attacks are increasing. Sensitive data could be exposed.

While these risks are real, constantly leading with fear can have the opposite effect. When people feel overwhelmed, they’re less likely to think strategically or engage with the conversation. Over time, security teams risk becoming associated with bad news instead of business enablement. That doesn’t mean avoiding difficult conversations. It means balancing the risks with a clear path forward. Successful security leaders explain what’s at stake, then quickly shift the conversation toward achievable solutions and shared success.

Reframe Security as a Business Partnership

One of the webinar’s central themes is that security shouldn’t position itself as the “department of no.” Instead, security should become a strategic advisor that helps the business move faster and more confidently. That shift starts with changing the story. Rather than making the security team the hero, position the organization as the hero. The security team’s role is to provide guidance, remove obstacles and equip the business to succeed safely.

This collaborative approach changes conversations from: “Here’s everything that’s wrong” to “Here’s how we can reduce risk while supporting our business goals.”

That subtle difference often changes how recommendations are received.

Tailor the Message to Your Audience

Not every stakeholder cares about the same outcome. Executives care about strategic objectives, financial impact and organizational resilience. Middle managers often prioritize uptime, productivity and operational efficiency. Frontline employees usually want to know one thing:

“Will this make my job harder?”

Effective security communication recognizes these differences and adapts accordingly.

For employees, connecting cybersecurity to their personal lives can be surprisingly effective. Teaching someone how to protect their family from phishing attacks or secure their personal accounts often creates habits they naturally bring into the workplace.

For executives, the conversation should stay focused on business priorities instead of technical implementation.

The message stays the same. The language changes.

Simplify Without Oversimplifying

Technical leaders often assume more data makes a stronger case. In reality, too much information can obscure the message. Instead of presenting dozens of charts or pages of metrics, focus on the information decision-makers actually need.

For example, present:

  • The current level of business risk
  • The expected improvement
  • The investment required
  • The business outcome

Simple comparisons often communicate risk more effectively than complex dashboards. The goal isn’t to remove technical rigor. It’s to make the decision easier.

Security Culture Starts With Communication

Organizations often invest heavily in awareness training, policies and technical controls. Those investments matter. But long-term resilience depends on something deeper: trust. Employees need to feel comfortable reporting mistakes. Managers need to see security as a partner instead of a roadblock. Executives need confidence that security investments support broader business objectives. None of that happens through spreadsheets alone. It happens through conversations that connect security work to the organization’s mission.

When security teams tell better stories, they build stronger relationships, earn greater trust and create the executive alignment needed to improve security over time.

Watch the Full Webinar

Changing how you communicate can be just as impactful as changing your technology.

In the on-demand webinar, Stories Over Spreadsheets, Kyle Hauswirth shares practical frameworks for communicating cybersecurity risk to executives, building stronger security cultures and gaining buy-in without relying on technical jargon or fear-based messaging.

Watch the on-demand webinar to learn how better storytelling can help your security program gain the influence it deserves.

About the Author

Share This Story, Choose Your Platform!