From FUD to Clarity

Published by on

From FUD to Clarity: A Personal Reflection on Cybersecurity Risk Communication in the Age of NIS2

By Jason Scanlon

Last week, I attended a cybersecurity conference in Ireland — and I was blown away. The depth of knowledge, the diversity of perspectives, and the calibre of professionals in the room were genuinely inspiring. If I’m honest, they were also a little intimidating. That familiar imposter syndrome crept in: Am I really on par with these people?

But after a few conversations with peers and friends, I was reminded of something important: our industry doesn’t thrive because we all know the same things. It thrives because each of us brings something unique — whether it’s deep technical expertise, strategic thinking, or the ability to translate complex ideas into clear, actionable insights.

One conversation with a mentor stuck with me. We spoke about the need to strip away the FUD — fear, uncertainty, and doubt, that so often clouds cybersecurity discussions, especially in boardrooms. We also talked about the danger of overcomplicating things with jargon or alarmist phrases like “the existential risks of AI.” (I’ll admit, I had to Google that one.)

 

The Gift of Clear Communication

One of the greatest tools we have as humans is our ability to communicate. Yet in cybersecurity, we often forget that communication isn’t about sounding smart — it’s about being understood.

When discussing business risk, our job is to help directors and executives understand threats and controls in the context of their actual operations. That means clearly explaining what safeguards exist, where the gaps are, and what it all means for the business.

It sounds simple, but it’s rarely done well. Too often, technical teams talk in acronyms and frameworks, while executives tune out or misinterpret the message. Somewhere between “endpoint detection” and “risk register,” the meaning gets lost.

 

The Gift of Clear Communication Bridging the Gap Between Controls and Business Impact

We implement frameworks like CIS Controls, deploy EDR tools, and align with standards like NIST CSF, but how often do we connect those actions to business outcomes?

If you’re in the dairy industry, for instance, what does CIS Control 13 mean for your ability to produce and deliver milk on time? How does network segmentation actually protect your distribution operations?

Frameworks are valuable, but they’re only part of the story. Our job is to translate technical controls into business terms, to show how they support continuity, compliance, and customer trust.

 

NIS2: A Mandate for Better Communication

The new NIS2 Directive raises the stakes. It places direct accountability on board members for cybersecurity governance. They can no longer delegate it away — they must approve strategies, oversee response plans, and ensure compliance themselves.

For those of us in InfoSec and GRC, this is a clear call to evolve. We must become strategic communicators — professionals who can articulate cyber risk in the language of risk, resilience, and business continuity, not just threats and vulnerabilities.

 

A Call to Our Community 

So here’s my reflection — and my challenge to our industry:

Let’s move beyond FUD. Let’s drop the jargon. Let’s commit to communicating clearly, honestly, and with empathy. Let’s help boards not only understand what we do, but why it matters, in business terms they can act on.

Because when cybersecurity is understood, it stops being a compliance checkbox. It becomes what it should have always been: a strategic enabler of trust, growth, and resilience.

About the Author 

Jason Scanlon is the Chief Information Security Officer (CISO) at Numata Business IT, where he leads the company’s information security strategy and governance initiatives. With over 26 years of experience across cybersecurity and IT risk management, Jason is passionate about translating complex technical challenges into clear, actionable insights for business leaders.

He is a strong advocate for fostering a culture of transparency and resilience in the face of evolving cyber threats, and believes that clear communication is the foundation of effective security leadership.

 

Follow us:
Back to Blog