Lost in translation: why security leaders struggle to get the buy-in they've earned
You walk into the boardroom with a clear picture of where the organization is exposed. You've done the work. You know what's at stake. You're prepared.
Twenty minutes later, the CFO is checking messages under the table, the CEO has pivoted to a revenue question, and the budget you needed comes back trimmed by a third.
You didn't lose the room because the risk isn't real. You lost it because the language didn't connect.
The gap between what security teams measure and what executives act on isn't a technical problem. It's a translation problem — and it's costing organizations more than they realize.
Two audiences operating on different frequencies
Security professionals are trained to think in threat vectors, exposure windows, and control frameworks. That precision is what makes them exceptional at their jobs. But precision in the wrong language is just noise to the person who needs to authorize the investment.
Boards and executive teams think in risk, revenue continuity, competitive positioning, and fiduciary exposure. They are not indifferent to security — they are deeply invested in outcomes. What they lack is a translator.
When security leaders present in technical terms to a business audience, they don't just fail to communicate — they inadvertently reinforce the idea that security is an IT cost center rather than a strategic business function. That framing has real budget consequences.
The same facts. A completely different conversation.
The translation gap isn't about dumbing things down. It's about reframing accurate information in the terms that drive executive decision-making. Consider the difference:
| How we say it | What the board actually needs to hear |
|---|---|
| We're seeing increased adversarial use of AI in phishing campaigns | The convincingness of deceptive emails targeting our employees has risen sharply. The cost of a single successful account compromise averages $4.5M industry-wide. |
| Our vulnerability remediation SLA is 14 days for critical findings | We close the window of exposure on our most dangerous weaknesses within two weeks — before most attackers can operationalize them. |
| We've implemented zero trust network segmentation | We've restructured our environment so that a single breach can no longer move laterally and take down the whole business — the way NotPetya cost Maersk $300M in ten days. |
| We need to fund an AI-augmented SOC capability | Attackers are now finding and exploiting vulnerabilities in hours, not months. Our current detection capability operates on a timeline that no longer matches the threat. This investment closes that gap. |
| We completed a third-party risk assessment of our top 20 vendors | We reviewed the outside organizations with the deepest access to our systems. Three carried risk we weren't comfortable with — we've addressed two and are negotiating with the third. |
| Our mean time to detect is 48 hours | On average, we identify an active threat within two days. Every hour of undetected intrusion increases breach cost by an estimated $75K. We have a roadmap to cut that window in half. |
| We've deployed EDR across 94% of endpoints | Nearly all of our devices now have the ability to detect and contain an attack in real time. The remaining 6% are our highest-priority remediation item this quarter. |
| AI is expanding our attack surface through shadow model usage | Employees are using AI tools outside our approved stack — sharing sensitive data with systems we don't control, can't audit, and can't protect. We need a policy decision from this room. |
Nothing in the right column is fabricated or overstated. Every reframe is grounded in the same operational reality as the technical version. The difference is whether the board walks out understanding why it matters to them.
Why this gap has widened
Three forces have made this communication problem structurally worse over the past decade:
- The threat surface expanded faster than organizational communication norms. Security teams grew in technical sophistication while boardroom expectations remained anchored to compliance checkboxes.
- Security metrics were designed to measure technical performance, not business impact. MTTD and patch SLAs are operationally meaningful. They are not boardroom currency.
- AI has compressed the timeline on everything. Threat actors who once needed months to operationalize a vulnerability now need hours. The urgency is real — but it only lands if it's expressed in terms of business disruption, not CVE counts.
The organizations getting this right aren't just better protected. They're making faster decisions, allocating capital more precisely, and treating security as a competitive variable — not a tax.
A playbook for closing the gap
Lead with what was protected, not what was done.
Boards don't need a status report on security activities. They need to understand what exposure existed, what was done about it, and what would have happened otherwise. Reframe every update around business outcomes, not operational inputs.
Translate risk into dollars — and be specific.
Executives fluent in finance respond immediately when risk is quantified. NotPetya cost Maersk over $300 million in ten days. The average cost of a ransomware incident now exceeds $4.5 million when downtime, remediation, and reputational impact are included. Attach numbers to your risks — even conservative, defensible estimates beat abstraction every time.
Structure every update as: Risk. Timeline. Ask.
Board-level security communication should answer three questions cleanly: What is the risk and what does it cost the business if it materializes? When is this relevant — is this a current exposure or an emerging one? And what decision do you need from this room? This structure respects their time and positions them as decision-makers rather than an audience.
Name what AI is changing — specifically.
AI is not a future threat. Adversarial use of AI in phishing, vulnerability discovery, and social engineering is measurable and current. When you surface AI-specific risk to a board, anchor it to business scenarios they can visualize: an employee sharing sensitive data with an unsanctioned AI tool, a deepfake voice call authorizing a wire transfer, an AI-generated email that bypasses every filter you have. Make it concrete.
Turn compliance into competitive positioning.
Compliance framed as overhead is overhead. Compliance framed as the reason you can operate in regulated markets your competitors cannot is a revenue conversation. The underlying fact is the same. The strategic implication is entirely different — and boards respond to it accordingly.
The bigger stakes
This communication gap isn't just a professional frustration for security leaders. It has direct and measurable consequences for organizational resilience. When boards don't understand risk in business terms, they underinvest. When they underinvest, organizations are exposed in ways that are entirely preventable. And when a breach occurs — and at current threat velocity, the question is increasingly when, not if — the post-mortem almost always reveals the same story: the security team knew, raised the issue, and couldn't get traction.
That is a failure of translation. Not expertise.
The most effective security leaders today are functionally bilingual. They are fluent in the technical language of threat and equally fluent in the business language of risk, capital allocation, and competitive consequence. They understand that a board briefing is not a status update. It is a persuasion exercise built on credibility — and it requires a different vocabulary than the one that makes you effective in a threat operations center.
The bottom line
If you want the budget, the organizational alignment, and the executive partnership your program requires — particularly as AI reshapes both what attackers can do and what defenders must do in response — you have to close the language gap.
Not by softening what you know. By translating it into what they need to hear.
The board conversation security demands right now isn't about patch cycles and threat feeds. It's about business continuity, fiduciary exposure, and the compounding cost of being wrong.
Speak that language — and the room changes.
Chris is Global Head of Cybersecurity Sales at EPAM Systems, where he advises enterprise clients on translating cybersecurity risk into business strategy. He has been writing about emerging security threats for executive audiences since 2005.