← Back to Library

Cybersecurity has a communication problem

Ross Haleliuk · Venture in Security · ·14 min read
Commentary by Hex Index staff

Ross Haleliuk makes a provocative claim that cuts through the noise of the industry: cybersecurity isn't failing because of a lack of technology, but because of a fundamental inability to speak a common language. While most analysis focuses on the sophistication of threats or the volume of breaches, Haleliuk argues that the entire ecosystem—vendors, practitioners, and executives—is paralyzed by jargon and a failure to translate risk into business reality. This is not just a critique of marketing; it is an indictment of how the industry sells its own value to the people who pay the bills.

The Vendor Fog

Haleliuk begins by dismantling the assumption that the market is simply oversaturated. He observes that security vendors are "notorious for a lack of clarity and for overcomplicating their value proposition." Instead of answering the basic question of what problem they solve, founders and sales teams default to pitching features like "AI agents, ML engines, behavior analytics, and similar, without grounding any of it in customer pain." The result is a market where buyers feel overwhelmed not by a lack of options, but by a sea of indistinguishable noise.

Cybersecurity has a communication problem

The author argues that this confusion is self-inflicted. "The problem isn't that there are too many vendors, the problem is that most vendors all look alike because they can't communicate what makes them different." This is a sharp observation that shifts the blame from market dynamics to communication strategy. When startups fail to map their capabilities to operational realities—like reducing alert fatigue or enabling faster audits—they lose deals regardless of their technical merit. Critics might argue that the complexity of the threat landscape inherently requires complex solutions, making simple messaging impossible. However, Haleliuk counters that the failure lies in the translation, not the technology itself.

"Most security startups would probably describe as a marketing problem, I see as a communication problem."

The Language Barrier Inside the Enterprise

The commentary then pivots to the internal struggle, where security professionals struggle to explain their work to the C-suite. Haleliuk draws a powerful analogy to medicine: just as we expect doctors to explain health issues in plain English rather than Latin, we should expect security leaders to explain risk in terms of revenue, reputation, and operations, not kernel vulnerabilities. "Business leaders care about how security risks can impact their revenue, customers, reputation, or operations... and not about which ransomware family is exploiting which kernel vulnerability."

This reframing is crucial. It suggests that the disconnect isn't due to a lack of care from executives, but a lack of relevance in the data presented to them. When CISOs present dashboards filled with blocked attacks and compliance scores, they are speaking a language that often fails to connect to the board's primary concerns: shareholder value and market share. "Leaders can't support what they don't understand, and they won't invest in what they don't trust." The author notes that while the advice to "speak business" is common, the execution is where the industry fails, requiring deep relationship-building rather than generic platitudes.

From Fear to "Data Care"

Perhaps the most distinctive part of Haleliuk's argument is the proposal to rebrand the entire industry's approach to the public. He points out that the term "cybersecurity" has become abstract and fear-inducing, often conjuring images of "hackers in hoodies" rather than tangible risks. Citing Cyndi and Ron Gula, he suggests replacing the term with "data care."

The logic here is that "data care" is neutral and easily understood, stripping away the negative connotations of policing and surveillance that can alienate certain communities. "The concept of data care is simple: we need to get people and organizations to take responsibility for the care of their data since data is what we want to have confidentiality, integrity, and availability of." This shift mirrors the evolution of healthcare, where patients are empowered to make decisions about their well-being rather than being passive recipients of orders. By expecting everyone to become a "security engineer," the industry sets itself up for failure; instead, we should teach people to take care of their own digital hygiene.

"Humans make sense of the world through stories. They remember narratives, not dashboards, and they start to care when something feels personal, not when someone in a suit talks about some abstract probabilities or risk quantification."

The Power of Storytelling

Haleliuk concludes that clarity is merely the prerequisite, but storytelling is the engine of change. He argues that statistics and acronyms fail to move people. "Telling the board that the organization has a '3% phishing click rate' doesn't create urgency, but telling them about an employee who clicked a fake invoice, how attackers almost got access to the company's financial systems, and how close the business came to losing millions makes the risk tangible." This distinction between abstract data and human narrative is the piece's strongest takeaway. It suggests that the future of security leadership depends less on technical prowess and more on the ability to craft a compelling story that resonates with human experience.

Bottom Line

Haleliuk's argument is a necessary corrective to an industry obsessed with technical specs and threat vectors, correctly identifying that the biggest bottleneck to security investment is a failure of translation. While the suggestion to rebrand as "data care" may face resistance from traditionalists, the core thesis—that risk must be framed as a business narrative rather than a technical report—is undeniable. The industry's next evolution will depend not on better firewalls, but on better storytellers.

"The disconnect here isn't because those outside of security don't care about details, but because many don't see these details as relevant."

The strongest part of this argument is the reframing of the vendor and practitioner problem as a communication failure rather than a product failure. Its biggest vulnerability is the assumption that business leaders are willing to engage with security narratives if they are told simply; in reality, the distraction of daily operations often overrides even the clearest communication. Readers should watch for whether the industry actually adopts this storytelling approach or continues to drown in buzzwords.

Sources

Cybersecurity has a communication problem

by Ross Haleliuk · Venture in Security · Read full article

If you ask most CISOs what they think of how security companies talk about what they do, they’ll tell you that startups are absolutely terrible at communication (and they’d be right). But, if you flip the question and ask others what it’s like working with security teams, you’ll hear a similar complaint, that security professionals and leaders are often just as bad at communicating with those around them. It’s not that founders or CISOs are trying to be difficult, it’s that cybersecurity has a communication problem. That’s what this piece is about.

This issue is brought to you by… Maze.

See What Really Matters: Maze’s AI Agents Triage Vulnerabilities for YouSecurity teams spend countless hours chasing vulnerabilities - most of which will never be exploited. A recent Maze case study on CVE‑2025‑27363 shows how our AI Agents investigate vulnerabilities like an expert human would to confirm if an issue is exploitable in your environment. If it’s irrelevant, it stays low priority. If it's actionable risk, it gets flagged fast.That means less false positives, efficient remediation, and smarter security posture—without the usual guesswork.

Security is, among other things, a communication problem.

When most people think about cybersecurity, they think about exploits, adversaries, threat intelligence, frameworks, and compliance standards, among many things. All this isn’t wrong, and security indeed comes with many layers and facets, all of which are very important. What I think gets forgotten is that, among many other things, security is fundamentally a communication problem.

Think this way: collectively, companies are spending billions of dollars every year, but most executives, boards, customers, and sometimes even security buyers struggle to understand what they’re getting for the money they’re spending. CISOs have to invest a lot of effort to get funding for important security initiatives because those who decide where budgets get allocated, oftentimes, simply don’t understand why they should care. On their part, security vendors are drowning in buzzwords and four-letter abbreviations, and buyers have no idea what value most companies offer (not necessarily because they aren’t valuable, but because they struggle to communicate that value). To make it worse, while every security person is used to seeing threats and attacks everywhere, most people outside of our industry are literally clueless about how big of a problem cybersecurity has become.

It’s important to be clear that all these problems aren’t due to the lack of trying. There is a growing ...