Five security leaders share how they built trust, won buy-in, and stopped leading with fear.
We asked: “I’m a CISO who made the business care about cybersecurity. Ask me anything.”
The Reddit community responded with questions about reporting structures, board conversations, awareness training, insurance conflicts, and how to prove your value when nothing explodes.
Our five AMA guests came with years of experience and a willingness to be candid:
- Richard Marcus, (u/AuditBoard_Rich), CISO, AuditBoard
- Adam Glick, (u/CISOAdam), CISO, PSG Equity
- Joshua Scott, (u/threatrelic), CISO, Hydrolix
- Kathleen Mullin, (u/BoardroomCISO), CISO, My Virtual CISO and Director, The Board of Directors, The SABSA Insitute
- Montez Fitzpatrick, (u/Beneficial-Expert635), CISO, Navvis
Here’s what they had to say about getting the business on board.
Start with strategy—not fear
One of the most popular questions: How do you get C-level buy-in without resorting to threat modeling or fear tactics?
Richard Marcus called out the limitations of fear-based framing:
“You really have to be careful about how often you use fear to sell your vision—before you become the boy who cries wolf.”
Instead, his advice was to align security goals directly with business momentum:
“At the C-Suite level, the conversation is almost entirely about the business objective and the investment needed to de-risk security, compliance, and resilience from slowing or halting growth.”
This means translating compliance into customer trust, financial controls into support for growth, and data governance into the backbone of innovation.
Show value—even when nothing breaks
Prevention is a hard sell, and several users asked how to show security’s worth when there’s no breach to point to.
Adam Glick offered a simple way to quantify behind-the-scenes progress:
“Good tracking of projects done with associated criticality and/or priority. Can also do it via risk remediation in plain terms. Risks rated 0–20, with 20 being the riskiest: we remediated this risk which was a 19, etc.”
Pro tip: show your receipts—but in business terms.
Don’t treat insurance forms like checkboxes
As more CISOs are looped into insurance decisions, the fine print has become a landmine.
Kathleen Mullin warned that inaccurate or incomplete self-assessments can backfire:
“Frequently, the forms that are provided do not afford the space to document exceptions or explain controls. Add that information… to avoid paying for insurance and then not being covered.”
If the insurer discovers gaps between your documentation and your reality, she said, “they are under no obligation to pay.”
Soft skills win the room
Montez Fitzpatrick added that technical credibility alone won’t get you invited to the table:
“At some point when you are on track to that executive/senior leadership level, there is a lot more to managing the relationship than just the technical stuff.”
“It might seem obvious, but that ‘playing the game’ aspect cannot be underestimated… I sure don’t like it, but that doesn’t matter. It is important.”
Awareness training doesn’t have to be awful
Plenty of CISOs in the thread talked about how to improve awareness training—and more importantly, how to get people to care.
Joshua Scott keeps it simple:
“Monthly awareness material that takes less than 5 minutes to read is more effective.”
Richard Marcus emphasized relevance over razzle-dazzle:
“Interactive is good, but applicable is best… Customizing the content with examples of real threats your employees are actually being targeted with—and tying it to the ‘so what’—makes it much more engaging.”
Delegate early. Sleep often.
Several CISOs shared what they wish they’d learned sooner in their leadership journey. Richard Marcus said he’d start with rest and realism:
“Take care of your health and make sure to get enough sleep. There is a clear point at which more effort becomes counterproductive.”
“When I do a retro on failed initiatives, I usually find I overestimated my own capacity or tried to control too much directly when I could have leveraged more partnerships.”
It’s not just about controls—it’s about context
When asked how CISOs can prepare the next generation of leaders, Richard had a clear take:
“You need to have staff who add business value, but also build trust and continue to be invited back to the table.”
In other words, technical aptitude is just the starting point. Business alignment—and interpersonal fluency—are what sustain influence over time.
From security lead to resilience partner
Finally, is security still seen as an afterthought? That’s changing, Richard said:
“I’m seeing a really healthy trend in awareness amongst boards and exec teams… CISOs are finding themselves in more strategic conversations—not just focused on security, but business resilience more generally.”
The conversations are still evolving—but the door is open.
Final takeaways
Getting the business to care about security isn’t about magic slides, polished dashboards, or “cyber doom.” It’s about translation, trust, and timing. These CISOs have learned how to do more than raise the alarm—they’ve learned how to tie security to value, build internal allies, and keep the business moving.
If you’re working toward the same, their advice is clear: Learn the business. Play the long game. And don’t forget to sleep.
Join us for our next Reddit AMA starting Sunday, September 21. The topic will be “I’m a security professional who had to clean up a mess. Ask Me Anything.”