The Discernible Blog
The Threshold Moves With Practice
Effective incident response communication isn't built during crises but through consistent, low-level stress exposure long before one arrives. The same neurological principle that makes experienced cave divers more capable under pressure applies directly to security teams. The goal isn't just to survive the big incidents, but to use the smaller ones to move the threshold.
Embracing Morbid Curiosity: What Horror Fans Can Teach Us About Incident Response
Research shows horror fans demonstrated greater psychological resilience during the COVID-19 pandemic because they practiced emotional regulation through repeated exposure to frightening scenarios. Security teams can apply the same principle through frequent, varied incident communication drills that build resilience by simulating crisis scenarios in psychologically safe environments.
The Privacy Professional's Influence Starter Kit
No one hands privacy professionals a roadmap for building business influence, but the research and frameworks exist. This starter kit offers curated resources on negotiation, persuasion, and coalition-building — the political skills that turn privacy expertise into business outcomes.
Why Are CISOs Afraid of Power?
I've spent 20 years observing how CISOs struggle to build influence despite their technical expertise, often because they haven't been trained in the coalition-building, executive engagement, and team empowerment that creates political capital. The CISO role is fundamentally political rather than purely technical, yet most security leaders lack the frameworks and support to develop the organizational influence their position requires.
3 Counterproductive Communication Patterns Holding Back Security Researchers
Even technically brilliant security researchers can undermine their own bug bounty success through communication missteps that create adversarial relationships instead of productive partnerships. Here are three common patterns that damage disclosure outcomes and how to avoid them.
Why Security Communication Feels So Hard (And What to Do About It)
Security professionals constantly translate technical risks into business language, yet critical concerns still get deprioritized. Muted group theory explains why this happens and reveals strategic communication approaches that go beyond better translation.
Calling Technology Magic is Bad Communication
Lisa LeVasseur of Internet Safety Labs explains why consent frameworks have failed for digital products, how the industry follows the tobacco playbook of blaming consumers, and what CISOs and privacy executives can do to shift from damage control to proactive product safety advocacy.
Messaging != Communication
Security teams often confuse messaging (the words they choose) with communication (the strategy to drive outcomes), leading to polished presentations that fail to secure budget, templates that don't preserve trust, and awareness campaigns that don't change behavior. Understanding this critical distinction is the difference between security professionals who function as reactive explainers and those who exercise influence.
Why Your Incident Response Should Be Unique
When we gave Discernible Experience participants the same open source supply chain incident to analyze, they produced three completely different (and equally valid) incident communication strategies, each shaped by unique mental models of how companies work. This reveals why communication templates fail: effective incident communication requires an approach that matches who you actually are, not copying someone else's playbook.
The Template Trap
Organizations waste time creating incident communication templates that produce generic, inauthentic responses when security incidents occur. Instead of preparing Mad Libs-style documents, organizations need to build communication infrastructure: pre-established relationships, channel access, clear decision authority, pre-negotiated legal & values-based boundaries, and dedicated monitoring ownership that enable rapid, authentic communication.
Discernible Drills Is Now Discernible Experience
Discernible Experience is a weekly, scenario-based training program. Unlike organizational tabletops that test process readiness, we develop individual communication skills you can practice 365 days a year.
CISO as Super-Facilitator: Elevating Board and C-Suite Security Leadership
How do CISOs elevate board and executive security leadership instead of just reporting to them? Apply the 'super-facilitator' approach to transform your leadership team from audience into collaborators who drive organizational security strategy.
When Ransomware Groups Target Executives: Lessons from Our Latest IR Scenario
One of our Discernible Drills focused on ransomware-driven executive harassment and asked participants to practice three overlooked communication skills: advocating for specific breach notifications over vague legal language, facilitating threat intelligence sharing with competitors for complete attack visibility, and supporting executives facing personal targeting. Participants discovered that transparency and industry coordination reduce risk by providing customers with actionable information and security teams with complete threat intelligence. These approaches require organizations to choose specificity when lawyers recommend vagueness, coordinate even when competitive concerns push isolation, and acknowledge human limits when executives face intense personal pressure.
Beyond Translation: How CISOs Lead When the C-Suite Can’t Decide
When the C-suite stalls on security decisions, accountability rolls downhill while strategic direction never flows down. Learn four communication theory-based strategies that help CISOs lead effectively despite organizational ambiguity and competing priorities.
How to Market Privacy Without Falling Into the Privacy Washing Trap
Privacy washing is costing brands credibility as consumers get better at spotting empty promises like "your privacy is important to us." Marketing and PR professionals can avoid these red flags by turning genuine privacy practices into competitive advantages instead of relying on vague reassurances.
The CISO's Guide to Making the Business Case: How Security Investments Drive Brand Performance
The 2025 Edelman Trust Barometer reveals that brand trust now exceeds institutional trust by 13 points, with 84% of consumers ranking trust equally with cost and quality in purchase decisions. CISOs can leverage this data to reposition security from a cost center to a revenue driver by building data-driven business cases that connect security investments to customer behavior, competitive advantage, and market valuation.
Privacy Needs a Better Story
Privacy professionals who frame their work as "risk reduction" and "compliance" inadvertently position themselves as cost centers rather than strategic business partners. By applying Porter's value chain framework and the communication framing theory, privacy teams can demonstrate how their work directly creates measurable business value through improved operational efficiency, customer engagement, and competitive advantage.
Trust Recovery Starts During the Incident, Not After
Trust recovery starts during the incident, not after. Most organizations approach incidents defensively, treating customers as outsiders to protect from technical details. But your incidents aren't just happening to you — they're also happening to your customers. By withholding context from affected users, you miss opportunities to demonstrate operational maturity and build trust.
Your Team's Communication Isn't Just What You Say – It's Who You Are: Understanding Constitutive Theory
Your team's communication patterns don't just convey information — they actively create your organization's culture, decision-making processes, and operational reality. Security and privacy leaders using this approach build stronger political capital, earn organizational influence, and intentionally design communication patterns that constitute high-performing programs.
How Organizations Sabotage Media Relations by Misunderstanding Security Communications
Organizations commonly mistake security communications for media relations during crises, but this narrow focus actually sabotages the media relationships they're trying to protect by ignoring the internal communications and stakeholder trust-building that determines external credibility. Effective security communications require a comprehensive strategy across all organizational touch points — from customer support interactions to executive messaging — because journalists draw on months of accumulated context about your organization's transparency and competence when incidents occur.