Bank holiday Monday, last week. A day I’d mentally reserved for the garden and the slow, unhurried thinking time that rarely survives contact with a normal working week.
I was pulling weeds. Not thinking about anything in particular, aside from the new dog I’m about to foster. And then, somewhere between the fading bluebells and the back fence, something clicked.
I’d been reading Rachel Botsman‘s newsletter over coffee that morning. She’d written about a mistake that she’d made running a board meeting for a conservation project — where she’d pivoted straight from a risk and insurance review into exciting future plans. But the room had just spent two hours in protective mode, and asking them immediately to leap into possibility thinking fell flat.
Her insight was precise — you cannot have a trust conversation directly after a risk conversation. Risk operates in probability. Trust operates in possibility. Moving between them without a deliberate reset doesn’t work — the emotional residue of the risk conversation contaminates everything that follows.
As soon as I read that, I immediately thought — that’s it. That’s the thing I’ve been watching happen in cybersecurity for thirty years without being able to name it precisely.
Botsman was describing a conservation project board meeting. But she’d just given me the exact language for one of the most persistent and most costly failures in cybersecurity leadership. Not a new insight. A newly named one.
And once you can name something, you can change it.
I have a specific memory that comes back to me regularly. A CISO I respect enormously — experienced, credible, technically exceptional — delivering a board presentation that was, by any measure, outstanding.
The threat landscape section was precise and current. The vulnerability assessment was granular. The breach statistics were alarming in exactly the right way. The gap analysis was thorough. By the end of it, every person in that room understood with complete clarity how exposed the organisation was.
The board approved the budget.
The CISO left satisfied.
And nothing changed culturally.
The board didn’t talk about cyber in the corridor. The CEO didn’t make it a leadership priority. The middle managers who needed to change behaviour didn’t feel the urgency. The organisation remained technically better resourced and culturally unchanged.
I’ve watched this happen more times than I can count.
Standing in the garden on Monday I finally understood why.
The CISO had delivered a risk conversation into a room that needed a trust conversation. The board left in protective mode. And the cultural investment that security actually needs — the tone from the top, the confident governance that flows downward through an organisation and shapes behaviour at every level — never arrived.
Not because the CISO was wrong about the threats. Because the emotional climate they created was the wrong one for the outcome they needed.
The risk framing wasn’t wrong. It was necessary. And for years it was the only language that got cybersecurity onto the boardroom agenda, that secured the budget, that made leadership take the threat seriously.
But in today’s AI era, something has shifted.
Too many cybersecurity leaders have become one-trick ponies — defaulting to the same risk and threat conversation regardless of who is in the room, what they need, or what outcome is required. Using the same framing in the boardroom, the CFO’s office, and the security awareness session and hoping for a different result each time.
That’s not a strategy. That’s sheer madness.
The same framing that opened the door is now preventing cybersecurity from moving beyond compliance into genuine organisational resilience. The tool that built the function is now limiting it.
There are three conversations that cyber leaders have more than any others. Each one requires a completely different emotional framing. And most security leaders have been applying the wrong one — not because they’re wrong about the threats, but because they haven’t distinguished between the conversations.
Conversation One — The Board. Governance & Assurance.
This is where the framing error is most costly and most common.
Most cybersecurity leaders walk into the boardroom with a threat landscape briefing. Current attack vectors. Sector-specific incidents. Ransomware statistics. Breach costs. Vulnerability counts. By the end of the short presentation the board is fully informed about how dangerous the world is.
The board leaves in protective mode.
And then — in the corridor, in the next conversation, in the cultural signals they send back down through the organisation — they communicate exactly what they felt in that room. Anxiety. Exposure. The sense that cybersecurity is an endless problem that keeps getting worse and costs more every year.
But here’s what most cybersecurity leaders don’t fully acknowledge. The regular board conversation isn’t primarily a risk briefing. What the board actually needs to know is something quite different from the threat landscape:
- Are we managing cyber risk in a way consistent with our obligations and our risk appetite.
- Do we have confidence that management has this under control.
- Are there material developments — regulatory, geopolitical, technological — that we need to be aware of as a board.
Those are governance and assurance questions. And governance and assurance is fundamentally about confidence — which is closer to trust than it is to risk.
The cybersecurity leader’s job in that room isn’t to put the board into protective mode. It’s to give them the confidence to discharge their governance responsibilities. That’s a possibility framing. That’s trust.
The board doesn’t need to leave the room frightened. It needs to leave the room confident that they are making the right decisions about risk.
Conversation Two — The CFO. Budget & Investment.
This is the conversation where the framing insight changes the approach most dramatically.
Most cybersecurity leaders walk into the CFO meeting leading with risk: Here is what the threat landscape looks like. Here is our exposure. Here is the cost of closing the gap. Here is what a breach would cost us.
It’s a logical approach. But it’s also the wrong one.
When you lead with risk in a budget conversation you’re asking the CFO to approve expenditure to avoid a bad thing. That’s always a harder conversation than asking them to invest in protecting a good thing. You’ve put them in protective mode before the numbers have even arrived. Everything that follows — the investment case, the ROI argument, the strategic rationale — lands into an emotional climate already framed around cost and threat rather than value and possibility.
So lead with trust and possibility instead. For example, here’s what this organisation’s digital capability is worth, what customer trust enables in terms of revenue, regulatory freedom, and competitive advantage, or what cybersecurity makes possible that couldn’t exist without it.
Then, move into the risk and cost conversation. The possibility framing anchors the investment in value before the numbers arrive.
The CFO who feels they’re protecting something valuable funds security differently from the CFO who feels they’re paying to avoid something frightening.
Same numbers. Different emotional climate. Different conversation.
Conversation Three — Employees. Cyber Literacy, Awareness, and Behaviour.
This is the conversation where the instinct to lead with risk is most understandable, and most limiting.
Security awareness programmes have been leading with risk for decades. For example, here is the threat, here is what a phishing email looks like, here is what a breach costs, here is what happens if you click the wrong link.
And for decades behaviour has been stubbornly resistant to change.
Not because employees don’t care. Because fear is one of the least durable drivers of sustained behaviour change. Employees who are frightened of making a mistake don’t report phishing attempts — they hide them. They don’t raise concerns. They comply minimally and privately hope nothing goes wrong. That is the opposite of the psychological safety that makes organisations genuinely resilient.
The fastest way to change behaviour isn’t risk. It’s identity.
This isn’t a new idea in behavioural science. Researchers from BJ Fogg to Dan Ariely have shown that behaviour change attached to identity is significantly more durable than behaviour change driven by fear or motivation alone. James Clear articulates it accessibly in Atomic Habits — the most durable change comes not from outcome-based goals but from identity-based ones. Not “I want to stop clicking phishing links” but “I am someone who protects this organisation.” The behaviour follows the identity.
And in a security context this insight is transformative — because most employees genuinely want to be the person who protects their colleagues, their customers, and their organisation. That identity is available and authentic. It just rarely gets activated because security conversations lead with threat rather than with the person being addressed.
So lead with identity first when you speak to employees.
Get them to see… You are the person whose actions protect everyone around you. Your behaviour matters in a way that no technology can replicate. The security of this organisation doesn’t rest with the CISO or the security team alone. It rests with you — every day, in every decision, in every moment where something feels slightly wrong and you choose to pause and question it. That’s not a small thing. That’s the most important layer of defence we have.
Then introduce risk — not to frighten but to motivate.
Let them know…Here is what we’re up against. Here is why your behaviour matters. Here is what the threat looks like and why it specifically targets the human layer rather than the technical one.
The risk lands differently when it arrives after the identity has been activated. It’s not alarming. It’s galvanising. Because the employee already sees themselves as the person who deals with this.
Then close with possibility and capability.
For example…Here is what you can do. Here is how straightforward it is. Here is the confidence we have in you to do it. The possibility framing closes the loop and reinforces the identity rather than leaving the employee in protective mode.
Identity opens the loop. Risk motivates. Possibility closes it.
The emotional climate you’re trying to create isn’t frightened compliance. It’s empowered ownership.
What This Insight Actually Tells Us
The mistake most cybersecurity leaders make isn’t leading with risk. The mistake is treating risk as the only available framing, as if every conversation, regardless of who’s in the room, requires the same emotional climate.
It doesn’t.
The board needs confidence to govern. So lead with trust. The CFO needs to feel they’re protecting something valuable. So lead with possibility. The employee needs to see themselves as the protector. So lead with identity — then motivate with risk, and close with possibility.
Know which conversation you’re in. Switch register deliberately. The emotional climate you create determines the outcome you get.
These three conversations are where the framing error costs most — in the boardroom, in the budget meeting, and in the security awareness session. But they’re not the only conversations that matter. Your cybersecurity team needs a different register entirely — rigour in operations, possibility in strategy, trust in culture. Business and IT leaders need a shared accountability framing that makes the risk feel like theirs as much as yours. Those conversations deserve their own treatment.
But start here. Get these three right, and the others become significantly easier.
I’ve known this intuitively for thirty years. I’ve seen it in boardrooms, in budget meetings, in security awareness sessions that produced compliance but not culture.
What I didn’t have until a bank holiday Monday in the garden — and a conversation that gave me the precise language to name it — was the ability to say exactly where the problem sits and exactly what to do about it.
Now I do. And so do you.
Now I want to hear from you
Which of these three conversations do you think most cybersecurity leaders get wrong most often — and what would change if they got it right? Tell me in the comments, over on LinkedIn.
