Inside the episode
What I learned from speaking with Tim Grieveson
I recently sat down with Tim Grieveson, Chief Security Officer at Things Recon, for an episode of Communicating Cyber - the series where cyber security leaders go beyond the jargon to share stories, strategies and lessons from the real world.
Tim’s track record speaks for itself. With over 25 years in technology and cyber security, he’s led security for organisations across sectors and continents. He’s held senior roles at companies like AVEVA (the software division of Schneider Electric), BitSight and others, managing multi-million-pound budgets and large, complex teams.
But what stood out in our conversation wasn’t just the experience - it was his clarity and people-first approach. Tim’s known as the “Chief Storytelling Officer”, and it’s easy to see why. He doesn’t just talk about controls and frameworks. He talks about people, outcomes and value. He makes cyber security something everyone can engage with, not just the security team.
It’s not just about the technology anymore
“One of the things I realised as my career developed over the last 25 years is it’s not just about the technology anymore. The security leader’s role has really evolved and changed.
“Part of that is about developing the strategy for the organisation. But, importantly, it’s about being able to communicate that, enable the strategy and demonstrate ROI to the business.
“Speaking to boards and executives around the world made me realise it’s less about the tech, and much more about people and communication - the language you use to get executive buy-in.”
The storytelling playbook
Tim shared the core approach he’s developed over time - a playbook of sorts - for gaining buy-in through communication and storytelling.
Align to business outcomes
“When you’re creating your cyber security strategy, it’s not technology or controls for control’s sake. It must achieve something the business is trying to do - whether that’s growing the business, protecting customer data, or breaking into new markets. Align your strategy to those outcomes.”
Use language the business understands
“Use financial terms - EBIT, contribution, margin. And use the language of risk that the business understands.
“Do they have a risk appetite or a tolerance for certain risks? If not, help them define it. Many organisations I’ve worked with didn’t have a clear appetite for risk or didn’t understand what one looked like. Helping to mature that thinking is really valuable.”
Make it relevant
“Use industry stories, facts, figures and impact. The media does a good job describing big incidents and breaches. Relate those to your business and how it operates. That makes it easier for people to understand the potential consequences.”
Use metrics that matter
“Visualise things. Use metrics the business cares about. Don’t talk about speeds, feeds, or how many patches you’ve deployed - it doesn’t mean anything to most of them.
“What’s relevant is saying, for example: this production system was offline for two hours, and that cost us £1.5 million. That’s the kind of impact they can grasp.”
Seek feedback and build culture
“Talk to your supporters - but also to those who don’t agree with you. Valuable feedback comes from all sides.
“Use it to build a sense of belonging and foster a security culture. Security isn’t just the CISO’s problem - it’s everybody’s.”
Make it values-driven
“If the company has defined values, link your security programme to them.
“At BitSight, our values were humility, integrity, community and curiosity. They resonated with me as a security professional, and I used them to guide how we delivered the programme. That helped people connect with the work and made it easier to get support.”
Lessons from mistakes
Like many of us, Tim learned some of his most powerful lessons through early missteps.
“In my early career, yes - I made mistakes. One of the biggest was going into a board meeting and leading with a technology strategy.
“We thought it would land well - it was a tech business after all. But the board wasn’t tech-savvy. They cared about sales, margin, and growth.
“It didn’t resonate. But that became a learning curve. I went back, reworked the message, and this time I tailored it around business value. That changed everything.”
He now always pre-engages before big meetings.
“Speak to them in advance. Get feedback ahead of time so that when you present to the board, you’ve already got supporters in the room. That makes a huge difference.”
Turning ’no’ into ‘yes’
Security is often seen as the department of ’no’. Tim’s approach is to change that narrative.
“Typically, security is seen as the team that says no - you can’t do this, you can’t do that.
“The way I try to approach it is: how do we turn that no into a yes? We enable people to do what they need to do, but in a secure way. That might mean applying a framework, control or standard - but
it’s about enabling the business, not blocking it.”
Measuring risk properly
We talked a lot about risk appetite - and how often it’s misunderstood.
“When I joined one company, I was told they wouldn’t accept any risk. I asked, ‘Is that really true? Would you tolerate no risk at all?’
“And the answer was: well, maybe we’d accept a small amount. That started a really useful conversation. We found that in certain business areas, they were happy to tolerate up to a million dollars of risk.
“That became the benchmark. It helped shape investment decisions and conversations about what mattered.”
Building the team at AVEVA
At AVEVA, Tim grew the security team from 6 to over 60. It wasn’t about chasing headcount - it was about building a community.
“I never set out to build a team that big. It started by delivering on the promises I made.
“But what surprised me was how many people from across the business wanted to join security. Engineers, legal, marketing, finance - they saw the mission and wanted to be part of it.
“It became something people were proud of.”
Turning things off
One of Tim’s most memorable wins? Saving money - and reducing risk - by decluttering legacy systems.
“I turned off 10,000 domains. Over the years, various teams had stood them up - marketing campaigns, small projects - but no one was managing them anymore.
“I went to my CFO and said: I don’t want more money. I’ve found a cost saving. I just want to repurpose it. That conversation made future budget requests a lot easier.”
Crisis in Eastern Europe
When geopolitical instability in Eastern Europe affected their operations, Tim’s team had to act fast.
“We discovered that our endpoint security provider had disabled services because of OFAC regulations. That left us blind in that region.
“I pulled together a crisis meeting - we were responsible for all business crises, not just cyber - and within minutes we decided to pull out of the area.
“We relocated people, removed assets and moved operations - all in a controlled and safe way. That wouldn’t have been possible without trust and good communication.”
Empowering your people
Tim places a big emphasis on soft skills - not just technical capability.
“I put my whole team through storytelling training. So when they’re in a lift with the CEO or CFO, they can explain what they do and why it matters.
“We also brought in people from HR, marketing, legal - people who could help shape the message and build a culture across the business.”
What matters most
As we wrapped up, I asked Tim a few quickfire questions.
What’s the first thing you focus on in a new role?
“Connections. Stakeholder mapping. Understand who the players are - because you can only tailor your message if you know who you’re speaking to.”
What does the cyber security industry need more of?
“Coffee! But seriously - diversity. And not just in backgrounds or cultures, but diversity of thought.
“Bring in people from customer service, product, marketing, engineering. People who see problems differently. That’s where innovation comes from.”
Final thoughts
What I took away from this conversation is how powerful human connection is in cyber security. Tim’s approach, focused on communication, clarity, and values, transforms how people engage with security.
It’s not about saying no. It’s about enabling the business to move forward, safely and securely.
