At this year’s Jisc Security Conference in Manchester, we hosted a 40-minute community hub conversation exploring how senior leaders understand cyber security and what helps meaningful dialogue take place. Twenty-eight colleagues from across further and higher education joined us, representing a mix of senior leaders, operational staff and cyber specialists.
Across four discussion prompts, participants reflected on what works in their institutions and where conversations with senior leaders can succeed or stall.
How senior leaders understand cyber
Participants agreed that awareness among senior leaders has grown, partly due to the coverage of high-profile incidents in the media such as the Marks & Spencer ransomware attack earlier this year. Cyber is increasingly viewed as an organisational risk rather than simply an IT concern. Many leaders now recognise the importance of educating staff and students and are asking more informed questions.
However, understanding varies. It was noted that some leaders may overestimate their own understanding of cyber. Others still see cyber as a technical problem for technical teams. One participant commented that cyber can sometimes be thought of as a “money pit”.
Overall, participants felt that senior leaders understand more than they used to, but this understanding is uneven and strongly shaped by individual experience.
Barriers that make communication harder
When we moved to the barriers, experiences aligned more clearly.
Access was a common challenge. Some participants find it difficult to reach senior leaders because of organisational gatekeeping. Others explained that cyber often appears as a short item on a busy agenda, which limits the chance to discuss complex issues or build shared understanding.
Language also plays a role. Specialist terminology can make conversations difficult to interpret, especially when senior leaders have limited domain knowledge.
Participants warned against constant “doomsday” framing
Tone came up several times. Describing the worst possible scenario may capture attention once, but over time it can lose impact. One attendee said that constant “doomsday” framing becomes background noise, which prompted a useful discussion about balance and clarity.
Participants also noted the lack of benchmarking data which makes it difficult for institutions to judge their progress or understand how they compare with others when making a case to leadership.
What helps messages land
Participants shared a wide range of practical tactics that help cyber messages resonate with senior leaders.
The value of telling stories and using analogy was discussed. Relatable examples help shift attention from technical detail to the real-world impact on students and staff. Others focused on knowing their audience and adjusting language to match. Using the language of risk rather than technical terminology and linking cyber to institutional strategy proved especially effective.
Relationships mattered too. Participants mentioned befriending the gatekeepers, finding allies in meetings and securing a senior sponsor who can reinforce messages. Some shared practical approaches that support clarity, including the use of the Amazon-style six-page review, drawing parallels with health and safety, listing risks and backing up claims with data.
Conversation notes from one of the tables
Reporting successes was another helpful tactic. Positive stories help build confidence and show progress, which can make future conversations easier.
The overall message was that cyber conversations improve when they reflect the interests and priorities of senior leaders and when examples feel relevant to their context.
What support the sector needs for better cyber conversations
When asked what would help strengthen conversations with senior leaders, participants naturally identified areas where Jisc could support the sector. These included more in-depth reports aligned with the academic year and clearer benchmarking data.
Several participants also described resources they already draw on, such as the NCSC Cyber Security toolkit for boards and James Bisset’s “Hitch-hacker’s Guide to the Galaxy” Jisc blog series, written to help non-specialist executive leaders develop a clearer roadmap for cyber security assurance. A greater Jisc cyber presence at senior leadership events was suggested as another way to support these conversations.
Alongside these specific ideas, the discussion also pointed to wider needs within institutions.
Participants noted that more structured time with senior leaders would make a difference. Cyber often shares the agenda with many competing priorities and is sometimes compressed into short updates. Dedicated risk discussions, regular digital resilience updates or pre-meeting briefings could help embed cyber more firmly in strategic thinking.
There was a desire for clearer roles and shared accountability. Some senior leaders still see cyber as something owned by technical teams. Participants felt that more explicit expectations for leaders and managers, similar to health and safety responsibilities, could encourage a more collective approach.
Several attendees highlighted the need for better internal communication pathways. Gatekeeping, unclear lines of communication and limited opportunities to build relationships can make it difficult for messages to land. More open channels and regular check-ins would help.
Finally, there was interest in developing stronger internal data and narratives. Clearer descriptions of what good looks like could give senior leaders more confidence and context. This would also support a shift towards more constructive and enabling conversations about cyber rather than relying on fear-based messaging.
Together, these insights suggest that while external support is valuable, many conditions for better cyber conversations are cultural and organisational. Creating space for dialogue, building shared understanding and developing consistent language across teams is seen as crucial.
Images: Rosie Hare (Jisc)
Further resources:
16 questions you need to ask to assess your cyber security posture (PDF)
