Lesson 3.2

3.2: The Three Audiences

10 minutes

The Three Audiences

You don’t have one audience. You have three, they care about different things, and the single biggest translation mistake is writing one deck and reusing it. Same incident, same quarter, same program — three one-pagers. Here’s who they are, what they want, and what lands.

The board

The board is pattern-matching against the other boards they sit on and the risk profile they signed up for when they joined. They want outcomes, material risk, regulatory exposure, and anything that could show up in a public disclosure. They are time-boxed — usually ten to fifteen minutes for security — and they do not care about tools.

What lands:

  • Material risk statements with direction and magnitude. “Credential-compromise risk is trending down quarter-over-quarter; here’s the one control change that explains most of it.”
  • Regulatory posture, named. “We will be in scope for SEC Rule 10b5-1 4-day disclosure as soon as we’re public. Here’s our state of readiness.” Board members who sit on public-company boards will recognize the reference; the ones who don’t will take the note.
  • Peer-benchmarked risk. “Compared to the three companies on this board’s portfolio page, we’re mid-pack on ransomware exposure and bottom-pack on third-party risk.” Boards live in comparisons.

What doesn’t land: tool names, CVE counts, MTTR graphs, maturity-model scores without peer context. The board does not distinguish CrowdStrike from SentinelOne and will be annoyed if forced to.

The CFO

The CFO wants a dollars-per-outcome translation. Not an ROI calculation — those are too fuzzy, and every CFO has seen too many of them — but a clear “what does a dollar of security spend buy, and how does that purchasing power compare to a dollar spent elsewhere?”

What lands:

  • Insurance math. “Our carrier’s last renewal cited our MFA coverage and phishing-training cadence as factors holding the premium flat. That’s roughly $180K of premium savings per year against our current program spend.” Premium math is a language CFOs speak.
  • Revenue-gate math. “SOC 2 Type II is a required checkbox on 7 of the 9 enterprise deals in pipeline. The report lands in November; the two deals closing in Q4 are contingent.” Revenue contingency is a language CFOs speak.
  • Avoided-cost math, specific. “The Colonial Pipeline incident cost ~$4.4M in ransom plus a multi-week operational impact. Our current ransomware recovery posture — tested against the same attack path — would be a 72-hour outage with no ransom payment. We are not at Colonial’s risk level, but the delta is worth the $240K we’re spending on immutable backups.”

What doesn’t land: ROI models with assumption stacks longer than three levels, posture scores, “cyber maturity” frameworks without dollar attachment. If a CFO can’t replicate your math on a napkin, they don’t trust it.

The engineering peers

Your peers — VPE, CTO, infra lead — are the audience you undersell most often. They’re the ones who will decide whether security is a shared cost or a tax. They want to know velocity tradeoffs, shared tooling decisions, and what you’re going to make them do. They do not want a sermon on defense in depth; they already know what defense in depth is.

What lands:

  • Velocity framing. “Shifting SAST left costs engineering roughly two hours per week per team, and it saves three hours per week per team by catching things that would otherwise get caught in the security review before ship. Net: one hour back per team per week.” Engineering peers measure velocity.
  • Shared-tool economics. “Our EDR vendor also gives us the endpoint inventory you’ve been asking for. If I route it through the EDR console, you get endpoint-asset data without standing up a second tool. The cost is shared.”
  • Specific asks with specific bounds. “I need eight hours of senior infra time in January to move break-glass accounts into the new vault. It’s a one-time hit. After that, the monthly cost drops.”

What doesn’t land: “We need to improve our security posture.” Every engineering leader has heard that sentence a hundred times and it is noise. Peers want specifics.

The same incident, three one-pagers

A worked example. The CrowdStrike July 2024 outage hit your Windows fleet; you had a 4-hour operational impact.

For the board (3 bullets): “Vendor concentration risk materialized; 4-hour business impact; mitigation proposal attached — single-vendor dependency for EDR is being diversified across FY25.”

For the CFO (3 bullets): “Direct cost: $X in lost productivity, $Y in recovery time. Indirect cost: zero customer-facing impact, no contractual penalty triggered. Mitigation cost: $Z to add a secondary EDR; break-even against one repeat incident.”

For engineering peers (3 bullets): “Agent-kernel-level vendor failures will happen again. Proposal: canary 10% of the fleet on a secondary EDR, validate dashboard parity, then decide on permanent split. Six hours of your infra team’s time in January.”

Same event. Three framings. One of the three gets filed as strategic, one as cost-responsible, one as collaborative — and none of them get filed as overhead.