Wolf&Grayson EditorialCybersecurity has a communication problem at the executive level, and the people creating it are usually the security leaders themselves. Walking into a boardroom with technical threat language, phishing statistics, and AI deepfake scenarios might create a sense of urgency, but it does not create partnership. It creates anxiety without direction, and anxious executives do not make better security decisions. They make faster ones.
Mike Coogan, an experienced chief information security officer (CISO) with expertise in enterprise security leadership, has a precise view of what actually moves organizations, and fear is not one of them. “You need to abstract the technical pieces out and just say this is an issue, here is how we are dealing with it,” Coogan states. “That is what builds trust. That is what builds partnership.”
Stop Using Fear. Start Speaking Business
The communication framework for executives is to acknowledge the issue, reference where it might have been encountered, confirm the team is aware of and actively addressing it, and commit to returning if additional resources are needed. What does not work is technical language designed to convey seriousness through complexity. Executives do not need to understand the mechanics of a threat, particularly if neither the Board nor the CISO can do anything about it. What they need is the business impact made clear and a credible signal that the right people are managing it.
Credibility with executives is built by inserting security into business planning early – before decisions are made, not after they are implemented. When a business has an imperative to move quickly, cybersecurity needs to be part of the conversation from the start. The alternative is becoming a barrier at the back end: the team saying “stop” after everyone has already committed.
AI adoption illustrates the point. Refusing to use AI is not a viable option for any competitive organization. The conversation worth having is not about whether to proceed, but about how to weigh the business risk of doing something against the business risk of not doing it. That is the level at which security adds genuine strategic value.
The Seat at the Table Comes With Accountability
CISOs have spent years advocating for a seat at the executive table. What some have not fully absorbed is that the seat comes with the same accountability structure as every other corporate officer role. If a CFO projects 50%–100% sales growth and finishes the year at 3%, that is a legitimate accountability conversation. The CISO role is no different. “You don’t get to claim the power and the trappings of a corporate officer and then choose not to be accountable when decisions go wrong,” Coogan reflects. “Go be a manager of information security if you want to avoid that. If you want a seat at the table, this is what it takes.”
When negotiating a compensation package, CISOs must secure director and officer insurance and retain personal legal counsel separate from the company’s general counsel, who legally represents the company, not the individual. CEOs already do this routinely. The CISO should not accept corporate officer accountability without the protections corporate officers rely on when things go sideways.
If You Do Not Enable AI, Shadow AI Will Decide for You
Every team is quietly adopting AI tools regardless of what the organizational policy says. The leaders who respond to that reality with restriction are not preventing AI adoption; they are ensuring it happens without governance, without contractual protections, and without any visibility into what data is being sent to third parties. “If you don’t give people a way to do things rationally and safely,” Coogan notes, “they will go do shadow whatever it is.”
The correct governance approach is to establish clear organizational policies on what data is acceptable to share externally, ensure contractual provisions are in place, and provide employees with education and sanctioned tools. Leaders who understand AI, embrace it, and enable it within appropriate boundaries give their organizations a structural advantage over competitors still treating it as a threat to manage.
Distributed accountability does not solve this; it eliminates it. If everyone in an organization owns cybersecurity decisions, no one does. The designated individual with the title, the accountability, and the liability is not a legacy organizational structure. It is the only structure in which accountability is real.
Follow Mike Coogan on LinkedIn for more insights on cybersecurity leadership, executive communication, and building the security governance that keeps pace with how organizations actually operate.
