Resources

HackSpaceCon 2026

“How to Talk Cyber Risk with Non-technical Stakeholders”

Security teams are testing more than ever, but most output still lands on executives as CVSS scores and vulnerability counts instead of business decisions. Leaders need a clearer story: what could hurt us, how badly, and what to fix first.

This talk covers a practical shift from "here's a list of issues" to "here's how this impacts revenue, compliance, and operations." We'll cover the limits of CVSS-only scoring, how to layer in financial impact and regulatory exposure, and how to build a shared risk language across security, GRC, and business stakeholders.

Attendees leave with techniques for reframing security as a cost-saving function, prioritizing remediation by real-world impact, and designing reporting that stays useful long after the pentest is delivered.

• Pre-engagement intake questionnaire - The five-question template, with field descriptions and sample answers from three engagement types.

• Business-aligned executive summary template - The five-section structure with prompts and example language for each section.

• Before and after finding examples - Three findings, each rewritten from CVSS-sorted technical writeup to conclusion-titled business framing.

• Contextual scoring cheat sheet - The three-layer rubric with worked examples showing how CVSS-sorted priorities flip when context is layered on.

• Jargon Glossary - Ten technical terms in the two-column format, ready to drop in at the front of any report before the executive summary.