Back to Blog
2026-04-215 min read
People

How to Talk to Your IT Team About Security (Without Sounding Clueless)

Practical tips for executives to have productive security conversations with IT teams, bridge the communication gap, and ask the right questions.

Sean P. Conroy

You know cybersecurity matters. You've read the headlines. Maybe you've even allocated budget for new tools or training. But when you sit down with your IT team to talk about security, something gets lost in translation.

They speak in acronyms. You nod along. The conversation ends with both sides feeling like the other doesn't quite get it.

Key insight: The communication gap between executives and IT isn't about intelligence, it's about language. The most effective security leaders are the ones who bridge that gap by asking the right questions, not by pretending to know all the answers.

Here's how to have better security conversations with your IT team, starting today.

The Five Questions That Actually Matter

You don't need to understand every technical detail. You need to understand risk, readiness, and priorities. These five questions will get you there.

1"What are our top three security risks right now?"

This forces prioritization. If your IT lead can't articulate the top risks in plain language, that's a signal worth paying attention to.

2"If we were breached tonight, what would our first 24 hours look like?"

This reveals whether an incident response plan exists, and whether anyone has practiced it.

3"What's the one investment that would reduce our risk the most?"

This gets past wish lists and vendor pitches. You want to know where the biggest gap is and what it would take to close it.

4"How do we know if something bad is happening right now?"

This tests your detection capabilities. Many SMBs have no monitoring in place, meaning breaches go undetected for weeks or months.

5"What keeps you up at night?"

This is the human question. It gives your IT team permission to be candid about concerns they might not raise in a formal meeting. Listen carefully to the answer.

What to Stop Saying

Half of bridging the communication gap is knowing what not to say. Here are phrases that shut conversations down.

"Just make sure we're secure."

This is too vague to act on. Security is a spectrum, not a switch. Ask instead what specific risks you should be focused on and what "good enough" looks like for your business.

"Can't we just buy something to fix this?"

Tools are part of the solution, but they're not the whole solution. This question signals that you see security as a purchasing problem rather than an ongoing operational discipline.

"Why do we keep spending money on this if nothing has happened?"

Nothing happened because of the investment. This is like asking why you pay for fire insurance when your building hasn't burned down. It demoralizes the team and undermines the case for continued vigilance.

How to Show You're Engaged (Without Micromanaging)

The goal isn't to become your company's security expert. It's to demonstrate that security has executive attention and support. Here's how:

Make security a recurring agenda item. Add a five-minute security update to your monthly leadership meeting. Consistency signals priority.

Read the reports they send you. If your IT team sends a monthly security summary and you never reference it, they'll stop sending it. Acknowledge the work, even briefly.

Attend one tabletop exercise per year. Nothing demonstrates executive commitment like sitting through a breach simulation with your team. You'll learn more in two hours than in six months of reports.

Ask follow-up questions. When your IT lead mentions a new threat or a completed project, ask what it means for the business. This shows you're paying attention and encourages them to keep you informed.

A Simple Framework for Every Conversation

When you're in a security conversation and feel lost, come back to three questions:

  1. What's the business impact? Translate every technical issue into dollars, downtime, or reputation risk.
  2. What's the likelihood? Not every risk is equally urgent. Understand probability, not just possibility.
  3. What's the plan? Every risk discussion should end with a clear next step and an owner.

This framework keeps conversations productive and ensures both sides walk away with clarity.

Key Takeaways

  • Ask the right questions, Focus on risk, readiness, and priorities rather than technical details
  • Avoid dismissive phrases, How you talk about security shapes how your team treats it
  • Show up consistently, Regular engagement matters more than deep technical knowledge
  • Use the impact-likelihood-plan framework, It keeps every conversation grounded in business terms

The best security conversations happen when both sides feel heard. Your IT team needs to know you take security seriously. And you need them to communicate in terms you can act on. Meet them halfway.

For more on building productive relationships between executives and security teams, check out Cybersecurity for CEOs.

Ready to Take Cybersecurity Leadership to the Next Level?

Get exclusive access to the first chapter of Cybersecurity for CEOs — plus monthly insights on protecting your business delivered straight to your inbox.

Newsletter subscribers get:

  • Free download of Chapter 1: “Why Cybersecurity Is Now a CEO Problem”
  • Monthly cybersecurity insights written for business leaders (not IT teams)
  • Exclusive discounts on the full book and future resources
  • Quick-win security tips you can implement immediately
Download Free ChapterLearn About the Book

No spam, ever. Unsubscribe anytime. We respect your privacy.