Inside the episode: What I learned from speaking with Nisha Patel
I recently had the pleasure of sitting down with Nisha Patel, CISO at Ocorian, for the latest episode of the Communicating Cyber series. Nisha brings over two decades of experience in cyber security, network architecture, and digital transformation, and our conversation really highlighted some crucial aspects of effective cyber security communication. It was a thoughtful, reflective chat that underscored the importance of being human, honest, and relatable when discussing what can often be a complex and intimidating topic.
Here are some of my personal reflections and key takeaways from our chat.
From engineer to CISO: building technical credibility
Nisha’s journey to becoming a CISO is a familiar one to many in our field: starting from the help desk, moving through network and server engineering, then into architecture and delivery before landing in a CISO role. What struck me was the sheer variety of organisations she’s worked with – public sector, private sector, food, transport, and financial services. This diverse background, particularly her hands-on technical experience, has clearly been a massive asset.
As Nisha put it, coming from an engineering background “helps when you can relate to the teams that are actually doing the work on the ground, being able to help when there’s an incident, being able to understand the technical side of it.” This technical grounding provides instant credibility, which is invaluable when building trust with both technical teams and, crucially, the board. It allows a CISO to truly understand the operational realities and then translate those technical nuances into clear, reassuring messages for senior leadership.
Tailoring the message: speaking every language
One of the deepest dives we took was into the art of tailoring messages for different audiences. Nisha articulated this perfectly, explaining that her approach varies wildly depending on who she’s talking to. For end-users, it’s about making security personal and relatable. When users question the need for constant training, Nisha brings it back to real-world scenarios: “If you click on this phishing email, how does it actually relate to an incident that could potentially happen and could impact the business?” She emphasised the importance of connecting individual actions to broader business impacts, making the abstract threat of a phishing email tangible by linking it to a potential network shutdown.
This “making it real” approach resonates deeply with me. Cyber security isn’t like physical security, where you can just glance at a door to see if it’s locked. Digital threats are often invisible until it’s too late. Bringing them to life, making them concrete for people, is absolutely essential.
For the board, the conversation shifts to investment and strategic alignment. Nisha focuses on how security investments enable business objectives. “When you’re talking to the board, it’s about the investment in this area will help us protect us in an area which they might want to move into, for example, you know, everyone wants to move into the automation space. So actually, how do we invest in the right spaces, allow the business to do what they want to do?” This approach frames cyber security not as a cost centre or a blocker, but as an enabler of business growth and innovation.
The problem with fear: clarity over FUD
We often see fear-based narratives, or FUD (fear, uncertainty, and doubt), in the cyber security industry. I’m personally not a fan, and it was reassuring to hear Nisha echo this sentiment. She firmly stated, “I’ve never used FUD during my time as a CISO, even through my security career. I think it probably causes the wrong behaviors.”
Nisha’s reasoning is compelling: once you start down the FUD path, it’s hard to stop. It can become a vicious cycle, undermining long-term engagement and trust. Instead, she advocates for making impacts as real as possible without resorting to scare tactics. This involves focusing on how an incident would specifically affect Ocorian, its clients, and their data. She also draws on relevant news stories from similar industries or companies, abstracting the principles of what happened and how they could apply to her organisation. For example, discussing retail sector incidents to highlight broader vulnerabilities like credential resetting, even though Ocorian isn’t in retail. It’s about learning from others’ misfortunes to strengthen your own defences, rather than just pointing fingers or instilling panic.
Learning from incidents: the power of the pre-mortem
Nisha shared a particularly insightful example of how she secured funding for an improvement by framing the discussion around a potential ransomware incident. Instead of presenting a complex risk matrix, she quantified the potential impact in terms of daily income loss and recovery time objectives (RTO). “I find out what our income is per day, and if we were to suffer this incident, what is the impact of that to the business? How long is it going to take me to get the business back up and running? What’s our cyber RTO?"
This proactive “pre-mortem” approach, where you analyse what an incident would look like before it happens, was incredibly effective. The CFO approved the spend, and a few weeks later, a major retail sector incident occurred, validating the board’s decision to invest. It was a powerful moment of relief and affirmation.
What stood out here was the collaborative spirit. Nisha didn’t sit in an “ivory tower” – she engaged with her finance colleagues to get the necessary figures, making the business case robust and undeniable. This cross-functional collaboration is vital, as cyber security is truly a team sport. If an incident were to occur, it would involve everyone from business leads to client communications, not just the security team in isolation.
Exercises as continuous improvement
Beyond securing initial investment, Nisha emphasised the importance of continuous testing and improvement. After implementing new capabilities, Ocorian conducts red team events and tabletop exercises. These aren’t just tick-box activities; they’re opportunities to “paint that picture end to end,” testing playbooks, plans, and team response. They ensure that new tools and processes actually work in practice and that the team knows how to respond.
This closing of the loop – from identifying risk to implementing solutions to continuously testing and refining – is a sign of a truly mature cyber security programme. It ensures that investments are worthwhile and that the organisation is genuinely more resilient. It’s also a fantastic training opportunity, embedding the necessary skills and understanding across the team.
Making security fun: creative communication channels
One of the most engaging parts of our conversation revolved around innovative communication. Nisha recounted creating a series of fun videos for a leadership summit, tackling topics like phishing and physical security with humour. They even incorporated phishing campaigns targeting EXCO members, carefully and respectfully, to illustrate the real-world impact.
“We played the journey again through videos for a bit of fun, a little bit of humor,” Nisha explained. “It landed and actually everyone came away thinking: I get it, I understand why it’s so important.” The initiative led to a significant increase in self-reported suspicious emails, demonstrating how human, relatable, and even humorous approaches can be far more effective than dry training modules or newsletters. The key was not to “beat anyone up” but to foster a culture where everyone understood that mistakes happen, and the goal is collective awareness and resilience.
The most human part of being a CISO: acknowledging fallibility
I asked Nisha what the surprising part of being a CISO is. Her answer resonated deeply: “I think people think that I won’t make mistakes and actually I’m not human.” She joked about never letting her laptop out of sight, because the expectation is that a CISO, of all people, can’t afford to make even a small mistake, like losing a laptop.
It’s a powerful reminder that CISOs, despite their critical role, are human too. We all make mistakes, and fostering an environment where acknowledging those mistakes leads to learning, rather than shame, is crucial for everyone, from the most senior leader to the newest recruit.
The power of collaboration
Finally, I asked Nisha for one word to summarise what the cyber industry needs more of. Her answer was immediate: collaboration.
She highlighted the increasing trend of cyber leaders coming together, especially in the wake of significant industry attacks, to share information and approaches that can be openly discussed. While competitive pressures exist, Nisha rightly pointed out that “we’re the good guys and we’re fighting the bad guys,” making collaboration on threats and effective strategies a shared imperative. This series, Communicating Cyber, is built on that very principle – sharing what works to help everyone up their game.
In summary, our conversation reinforced three critical pillars of effective cyber security communication:
- Tailor your message: Understand your audience and relate security to their day-to-day roles and strategic objectives.
- Leverage exercising: Use drills and simulations not just for assurance, but as powerful tools for risk understanding, communication, and continuous improvement.
- Be human: Ditch the FUD, embrace transparency, and remember that everyone, including the CISO, is fallible. Satisfy curiosity and explain the ‘why’ behind security measures.
It’s clear that the days of security being isolated in the basement are long gone. Cyber security is everyone’s responsibility, and fostering open, honest, and human dialogue is key to building resilient organisations.
