Ivanti Blog: Posts by

How CEOs Want CISOs to Communicate Cybersecurity Risk Management Strategy

Tue, 17 Feb 2026 13:00:01 Z

Most CEOs can recite their quarterly benchmarks and revenue down to the decimal point, but ask them about their organization's cyber risk exposure, and the answers become more vague. It's not that today’s CEOs don’t care about security — cybersecurity ranks among the top concerns for boards and executive teams. The problem runs deeper: a fundamental breakdown in how security risks are explained to business leaders that overlooks the impacts on their business outcomes.

Lack of competence is not the cause of most communication issues between CISOs and CEOs. They stem from a familiar problem: the curse of knowledge. The curse of knowledge is a common challenge where experts — in this case security leaders — might assume that everyone in the room has a baseline understanding of technical information and terminology, so they fail to break down complex risks into plain language and elaborate on real-world context.

Ivanti’s 2026 State of Cybersecurity Report underscores this disconnect. Nearly six in 10 security professionals say their teams are only moderately effective at communicating risk exposure to executive leadership.

When CEOs and CISOs don’t speak the same language, critical business vulnerabilities can be obscured by technical jargon. When communication breaks down, organizations waste time and money on misdirected investments while gaps in protection go unnoticed until a breach forces the conversation.

With threat levels rising, AI-enabled attacks are becoming more sophisticated, and data breaches make headlines weekly. The stakes for clear communication between CISOs and executive leadership have never been higher.

To understand why this communication gap persists, we need to examine both the fundamental challenges and the metrics being used to measure success.

Why cyber risk communication fails: the curse of knowledge

That disconnect between CEOs and CISOs isn’t caused by a lack of data. If anything, it’s the opposite. From the CEO's seat, the challenge isn’t attention or intent. Rather, it’s seeing dashboards, metrics, acronyms and severity scores without understanding the impact of these results on the whole business.

Security leaders need to assume that many in the room don’t understand the implications of terms like CVSS scores, attack surfaces and zero-day vulnerabilities. CEOs want more than dashboards filled with metrics, acronyms and severity scores.

Cybersecurity briefings need to go a step further and demonstrate the financial, legal, and reputational implications of these results for the business. A CISO might report "587 critical vulnerabilities detected this month" when what the CEO actually needs to know is: "Which of these threaten our ability to serve customers and what's our plan to address them?"

Cybersecurity KPIs that matter to CEOs

Useful KPIs clearly connect vulnerability management efforts to business risk. However, our cybersecurity research finds that the most used KPIs used by security teams fail to reflect risk context.

Currently, only half of companies (51%) track cybersecurity exposure scores or other risk-based indexes. Many security teams still rely on process metrics such as mean time to remediate (47%) or percentage of exposures remediated (41%).

Metrics like MTTR, patch velocity and percentage remediated matter to security teams, but they measure operational efficiency, not business exposure or potential financial impact. In isolation, they can look reassuring while obscuring the real question: are we managing our risk effectively?

These metrics, which focus on speed and coverage, may look positive on their own, but don’t do much to show whether current remediation efforts actually improve risk posture. It matters less how quickly vulnerabilities are remediated and how many are addressed. What matters more is whether the right problems are being addressed.

Shared understanding between security teams and the board and C-Suite requires grounding inscrutable metrics in real-life stakes. For CEOs, this means aligning with your CISO on the most important risks to your specific organization — are you a financial institution that frequently faces sophisticated fraud schemes, strict compliance requirements like PCI-DSS and SOX and the constant threat of ransomware targeting customer financial data? Are you a healthcare organization grappling with securing an expanding network of connected medical devices while maintaining rigorous compliance standards to protect sensitive patient data?

Let’s illustrate the difference between an executive security briefing that relies only on technical metrics vs. one that adds context and business impact.

What the CISO says:

"We discovered 11,000 vulnerabilities.”
"MTTR is down to 15 days from 25 days."
"We achieved an 88% remediation rate on critical CVEs."

What the CEO actually needs to know:

"We’ve identified ten critical vulnerabilities that could impact revenue-generating systems."
"If attacked today, we can restore critical operations in six hours compared to 48 hours last year."
"This protection enables us to pursue EU expansion without additional compliance risk."

Building an executive-level risk appetite framework

Executive communication depends on shared frameworks and a common point of reference for how risk is defined, measured and discussed. To eliminate inconsistencies and confusion, all stakeholders should be involved in creating and enforcing a risk appetite framework.

A major goal of these conversations is helping business leaders understand that the goal of the cybersecurity program isn't to be completely “risk free” — it’s impossible for any modern organization to become completely risk free. In other words, CEOs must be able to distinguish between their risk appetite and risk posture.

1. Risk appetite: how much risk their business is currently willing to tolerate in pursuit of its overarching goals.

2. Risk posture: the reality of the organization’s current risk exposure.

Most organizations now recognize the need to formalize how much cyber risk they’re willing to accept. Ivanti’s research shows more than 80% of organizations have a documented risk appetite framework.

However, fewer than half of the organizations say these frameworks are closely followed in day-to-day operations. When frameworks exist on paper but don't guide actual decisions, it is highly likely that your organization’s risk appetite and risk posture are not aligned.

How exposure management bridges the communication gap

Exposure management is a risk-based approach that continuously identifies, prioritizes and validates the scope of potential threats across the entire attack surface. Practicing exposure management helps unite security and executive leaders around a single, comprehensive strategy that reorients cybersecurity around business-critical risk.

Instead of treating all vulnerabilities as equal, exposure management focuses on identifying and prioritizing the organization's highest risks by asking:

Which current exposures are threat actors exploiting in the wild?
Which assets need to be prioritized based on current business operations?
Which assets, if compromised, would have the greatest impact in terms of reputational, customer, or legal damages?

Ivanti’s research report shows that nearly two-thirds of organizations now invest in exposure management, and leadership understanding has increased year over-year. But execution still lags: Only about a quarter of organizations rate their ability to assess risk exposure as excellent.

To close that gap and operationalize exposure management effectively, CISOs should anchor executive communication around three principles

1. Translate technical signals into business context. Instead of reporting vulnerability counts, explain which exposures affect revenue-generating systems, customer data or regulated environments.

2. Prioritize emerging threats by impact, not volume. Executives don’t need to track every new attack technique. They need to understand which situations could materially disrupt the business and how prepared the organization is to respond.

3. Use scenarios, not spreadsheets. Narratives that connect cause, impact and outcome, backed by data, help leaders internalize risk and make faster decisions.

This approach shifts your risk mitigation strategy from reactive defense to proactive decision-making.

The path forward

When executives and security leaders speak the same language, the curse of knowledge can be broken and cybersecurity becomes a strategic enabler that protects business value, enables growth and turns security strength into competitive advantage.

The curse of knowledge can be broken — one translated metric, one business-focused conversation, and one clear decision at a time.

How to Measure the Business Impact of Digital Employee Experience (DEX)

Wed, 08 Oct 2025 13:00:00 Z

Not long ago, digital employee experience (DEX) was just a line on an IT report — something to track uptime, device issues and help desk tickets. Those metrics matter to IT, but they don’t always resonate with the C-suite. But behind the numbers is a larger story: every slowdown, every frustrating login, every delayed ticket chips away at productivity, engagement and business results. Today, DEX isn’t just an IT metric — it’s a measure of how well your organization performs, yet too few leaders are connecting the dots.

Put simply, DEX makes it easier and more enjoyable for employees to use the technology they rely on every day. When employee technology interactions are seamless, organizations move faster and innovate more easily. When they’re full of friction, the costs — both financial and human — add up quickly.

This shift gives CIOs a powerful opportunity: to move beyond being viewed as service providers and instead be recognized as strategic leaders. By relating DEX to business KPIs — not just operational metrics — they can show how IT directly fuels productivity, innovation and long-term business growth. When metrics speak the language of business outcomes, DEX becomes a strategic lever, not just an IT initiative. 

The data tells the story: DEX strategy must evolve

In 2025, CIOs can build a strong DEX strategy by tying it directly to measurable business outcomes. That’s why we launched the 2025 Digital Employee Experience Report: Next-Level DEX, talking to over 3,300 IT professionals and end users worldwide to see what’s working, what’s not and the biggest barriers to better digital experiences.

The results reveal a striking DEX maturity gap. While 67% of organizations rate their DEX maturity as high (level 3 or 4), many fail to implement foundational best practices. Companies often confuse owning DEX tools with delivering an improved digital experience.

Our research shows that while most IT leaders recognize the importance of DEX for employees and company culture, many still struggle to measure its impact and prove its value. In fact, 77% say they track DEX and 85% call it a high priority, yet only 23% have advanced strategies with comprehensive monitoring and automation. Despite investments, many teams continue to face challenges with automation, endpoint visibility and digital sprawl.

The cost of getting DEX wrong is rising. Every lagging process, redundant tool or unresolved tech issue slows the enterprise, raising both financial and cultural costs. Digital friction — slow apps, poor connections and complex workflows — continues to frustrate employees and erode productivity.

Many organizations still struggle to track DEX

Our 2025 DEX Report shows that less than half of organizations use DEX scores to monitor employee experience — with only 48% of IT professionals reporting using them and just 24% tracking traditional satisfaction metrics like CSAT.

This points to a bigger problem we’ve likely all felt: many organizations aren’t measuring digital experiences or connecting them to meaningful outcomes. This, in turn, makes it more challenging to clearly point to which IT investments are making work easier and more satisfying.

While device performance (42%) and ticket resolution speed (39%) get nearly as much attention as DEX scores, the focus for improvements often leans toward operational efficiency rather than a holistic view of the employee experience. That means employees can feel frustrated, overlooked and demoralized — and the business misses out on the productivity and engagement that a more seamless experience could deliver.

Measuring what matters to the C-suite

If we want to quantify DEX metrics, we need to tie it to outcomes the business is already tracking. In my experience, there are four key areas for executives to focus on:

1. Productivity gains

Consider the impact of everyday tech interruptions. On average, employees tell us they experience 3.6 disruptions per month from IT issues and 2.7 from mandatory security updates. If it takes roughly 15 minutes each to resolve each issue, that adds up to 1.6 hours lost per employee every month. Hypothetically, for a 2,000-person company with a fully-loaded hourly cost of $100, the annual productivity loss approaches $4 million — showing how even small friction points scale into major business costs.

Digital friction also drives burnout. Nearly 1 in 4 IT professionals (23%) report a colleague has resigned due to workplace stress.

2. Cost savings

DEX uncovers wasted resources and hidden inefficiencies across the organization. Many organizations see IT problems but rely on manual fixes, leading to downtime and wasted effort. Key opportunities for improvement include:

Optimized endpoint management: automating patching, provisioning and device maintenance lowers support costs.
Process automation: reducing routine IT tasks frees staff to focus on strategic initiatives.
Risk reduction: fewer security incidents and improved compliance through accurate asset inventories reduce potential financial losses.

Self-healing systems automatically detect, diagnose and fix issues before users notice, letting analysts and admins focus on strategic challenges. When quantified, these efficiencies produce measurable savings and a clear ROI that speaks directly to finance and operations leaders.

3. Stronger security and compliance

A complete asset inventory helps enforce policy and reduce risk. Poorly managed systems lead to employees resorting to using shadow IT to address their issues — our report showed that 27% of employees use unauthorized apps and nearly 40% bypass traditional IT-provided support channels (often because it’s faster than waiting for IT). Automated monitoring allows IT to maintain compliance, patch systems and reduce friction for employees, which ultimately protects the company and enhances security. Key experience and security metrics include eNPS, satisfaction surveys, patch compliance and asset inventory accuracy.

4. Employee retention and advocacy

It’s 2025 and organizations must think beyond traditional IT metrics. Employees now expect seamless, intuitive tools that make their work easier and more productive. A strong DEX strategy drives higher eNPS, lower turnover and stronger employer branding.

Reducing digital friction doesn’t just make work easier — it helps retain talent, prevents costly turnover and fosters a more connected, productive culture. Prioritizing DEX also bridges gaps between HR and employees while strengthening your employer brand through more positive reviews on platforms like Glassdoor. After all, employees are the lifeblood of any company. Improving their experience isn’t just good for the people — it’s quantifiably good for business.

A practical measurement framework

Only 23% of companies report having advanced DEX strategies — those that combine monitoring, security, remediation and HR integration. Yet the payoff is clear: by tying metrics like mean time to resolve (MTTR), automation rates, license recovery and vendor savings directly to business outcomes, IT leaders can show that DEX isn’t just an IT initiative — it’s a driver for growth and innovation.

The organizational imperative

The hardest part of DEX isn’t technology — it’s organizational buy-in. Gartner predicts that by 2027, 80% of DEX initiatives will fail if they remain siloed in IT.* Optimizing the employee experience requires HR, operations, finance and security all collaborating at the table. For CIOs, that means translating technical wins into a strong DEX strategy with business results:

Today, a strong, measurable DEX strategy isn’t optional — it’s a competitive advantage.  As CIOs, we must translate operational wins into business results:

“We reduced MTTR by 30%” becomes “We gave employees back 12,000 hours of productive time last quarter.”
“We reclaimed unused licenses” becomes “We saved $1.2M in hard-dollar costs.”

When metrics speak the language of business outcomes, DEX becomes a strategic lever, not just an IT initiative. 

The bottom line

DEX has moved far beyond IT. It’s a lever for productivity, cost savings, security and employee retention. By treating DEX as a business performance driver and connecting tools like UEM, ITSM, ITAM and AI-driven personalization into a cohesive ecosystem, organizations can reduce friction, accelerate innovation and deliver measurable business results.

The future of DEX isn’t more data — it’s measurable impact. By tying metrics to business outcomes and optimizing the employee experience, organizations can unlock productivity, growth and innovation. Organizations that tie every metric to business outcomes, act proactively and optimize the employee experience will gain a decisive competitive edge.

Ready to take your DEX strategy to the next level? Explore the full 2025 Digital Employee Experience Report for more insights and best practices.

_{* Gartner® Magic Quadrant™ for Digital Employee Experience Management (DEX) Tools, Dan Wilson, Stuart Downes, Tom Cipolla, Autumn Stanish, Lina Al Dana, 10 January 2025}

Delivering on Our Commitment to Empower Customers with Future-Proof Solutions

Wed, 07 May 2025 13:00:03 Z

As I reflect on the tremendous progress our company has made since I joined three years ago, I want to take a moment to thank our customers for their continued trust and say how honored and grateful I am to lead this incredible team.

Ivanti’s commitment to providing our customers with seamless, innovative, and secure solutions is unwavering. Our goal is to exceed industry standards, and we understood from the start that meaningful advancements do not happen overnight. I would like to share some of our recent updates with you today.

Financial Flexibility Enables Continued Progress and Innovation

Last week, Ivanti announced a pivotal transaction that provides us with an additional $350 million in capital and extends our current debt obligations until 2029. As we sat down with our investors to outline our journey toward a SaaS-focused model, their responses underscored their collective confidence in our progress and the long-term prospects for our business. Our newly optimized capital structure affords Ivanti financial flexibility as we continue our transformation and accelerate innovation to meet the evolving needs of our customers.

Industry-Defining Product Security Aligned with Secure by Design Principles

Over the past year, we have shared the many ways we have doubled down on our Secure by Design commitments, taking steps to secure our products, and backing these actions with substantial investments and increases in our security team resources. It was critical for us that our pledge be more than just lip service; we were committing to actively and consistently taking steps to incorporate Secure by Design principles into every stage of our product development and decision-making processes.

Our transition to a SaaS model marks another crucial step in delivering future-proof solutions to our customers. Cloud solutions are inherently more secure, and we have made meaningful efforts to remove any roadblocks–whether financial, contractual, or functionality-driven–to support customer migration to the most up-to-date offerings via a disciplined installed base management program. Over the last 2.5 years, we have successfully migrated thousands of customers from on-prem to Ivanti Neurons solutions, with most new customers adopting our advanced, cloud-based offerings.

As part of our goal to ease the burden of security management for customers, we’ve made significant investments to automatically, and proactively counter current and future threats in our Ivanti Neurons cloud-based platform. As one example, we are rolling out important enhancements in our Neurons for Secure Access (nSA), which enable any Connect Secure edge appliance connected to nSA to be automatically patched by Ivanti in the event of a vulnerability. This technology aligns with our Secure by Design pledge and represents an important path forward for the industry in proactive security management.

Additionally, in April we announced Ring Deployment, an important innovation in Ivanti Neurons for Patch Management. An increasing number of N-Day compromises result from delays in patching, as IT teams manage a seemingly relentless stream of releases. Ring Deployment allows devices to be strategically organized based on specific needs or risk levels, enabling a controlled and prioritized patch rollout with minimal disruption to production systems. This reduces IT team strain, streamlines patch management, and fortifies customers’ environments.

Strength in Transparency and Proactive Vulnerability Management

Finally, I want to take a moment to touch on a topic that seems to get a lot of attention in the media.

At Ivanti, we view transparency as fundamental to customer trust and security. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of rigorous scrutiny and a proactive vulnerability management program. By aggressively seeking to identify and address vulnerabilities, our aim is to get ahead of threat actors and ensure our customers can take the steps needed to protect themselves.

At Ivanti, we will always advocate for transparency in CVE disclosures, both for our own products, and across the industry. It is our belief that vulnerabilities that go unnoticed and unaddressed may keep companies out of the headlines, but it also means their customers do not have the insights needed to fully understand and protect against risks. To this end, we also engage deeply with the security community, maintain long-term partnerships with leading security experts, and actively collaborate with government agencies. We work with our partners to share intelligence with defenders that goes above and beyond standard disclosure practices. This helps prevent threat actors from replicating new attack patterns or threat vectors against others in the market, and we firmly believe this is a practice that everyone in the security and software industries should adhere to.

Looking Ahead

Ivanti is proud to be our customers’ trusted partner in IT management and security.

As we look forward, our comprehensive security strategy will continue to be anchored in customer-centricity, enabling our customers to thrive and focus on what they do best.

To all our customers — thank you for trusting us to be your partner in this journey. Together, we will continue to navigate the complexities of today’s threat landscape and build a secure and innovative future.

Warm regards,

Dennis Kozak
CEO, Ivanti

Adopt This Mindset for A Happier, More Productive Workforce

Fri, 08 Sep 2023 15:00:00 Z

Is the Great Resignation over? No — it might be called different names now, but it is still going, and it has shifted in ways that employers must pay attention to — or risk losing serious competitive advantage.

Translation: there’s still a war for talent — and as any seasoned leader knows, there is always a war for talent. And now, more than ever, that war has extended beyond simply hiring. Now it’s about finding the right people and promoting engagement, loyalty and productivity in a work landscape that has forever changed.

Employees’ actions are speaking volumes

Despite all the headlines about return-to-office mandates, it’s clear that things will never fully return to the way they were before. While many employers are still holding fast to the old model, employees have made it clear that they want a new way of working. No more long commutes. No more sacrificing their wellbeing and personal time to hole up in a cubicle. No more being treated as a cog in the wheel.

So, while employers want engagement, loyalty and productivity — employees want purpose, passion, flexibility and to feel valued.

According to a recent survey, voluntary quit rate was 25% higher in the US in 2022 compared with December 2019. That stat should raise eyebrows, especially given that, by the end of 2022, the job market had tightened.

And they’re still leaving. In the same survey, more than one in four office workers under 40 said they’re considering leaving their jobs in the next six months. Top reasons include lack of motivation, boredom due to workload, feeling taken advantage of, mental health suffering due to work and a lack of engagement.

Is there a disconnect here? Yes, you’ve heard plenty about it over the last few months. But the mistake everyone’s making is assuming that these desires are mutually exclusive. They’re not. The problem is that people haven’t found the right way to bridge the gap.

And what is the right way?

The Everywhere Work mindset

It’s time to adopt an Everywhere Work mindset when it comes to knowledge work. What does that mean? The Everywhere Work mindset is a belief that great work can happen anywhere, as long as employees are empowered with the tools and support they need to thrive.

This isn’t about “caving” to employee demands. This is a very pro-organization approach, too. It paves the way for a work environment that is secure, orchestrated, efficient and attractive to top talent.

Everywhere Work is not synonymous with remote work. Everywhere Work acknowledges that there will be varied — and possibly changing — models used within your organization. The point is to remove location from the equation and adopt a strategy that secures, empowers and supports everyone, everywhere.

How to achieve the Everywhere Work mindset

Everywhere Work will look a little different for every organization, and every individual, based on their unique needs and circumstances. Still, there are a few common threads to consider:

1. Streamline collaboration and workflows

“I thought we put that in the shared folder?”

“Why wasn’t I tagged on that workflow?”

“Which platform are we using for this one?”

If you’re a remote employee, few things are more frustrating than misaligned tools and collaboration strategies. It means so much more work with zero added ROI. A streamlined, universal strategy is essential to facilitate seamless workflow, collaboration and communication.

2. Adopt a secure asset management strategy

When your employees are dispersed, it’s particularly important to map, manage and secure every asset being used. Whether you rely on BYOD, company-issued or a combination of the two, it’s a good idea to have a universal strategy that makes it realistic to manage assets remotely.

3. Consider zero trust for your network

A zero trust approach to security assumes bad actors are always on your network. It means limiting access so that only the right people and devices have access to the right information at the right time. This is particularly important with Everywhere Work, when people are working far beyond a traditional office-based security perimeter.

There is a caveat. A zero trust approach has the potential to be burdensome on employees, creating extra hoops for them to jump through. But it doesn’t have to be that way. There are zero trust solutions designed to minimize burdens on employees while promoting security. Again, the fewer barriers there are to doing their jobs well, the more likely employees are to be productive.

Everywhere Work is intended to be fluid, so the Everywhere Work mindset must be fluid, too. Your strategies will grow and change as your organization grows and changes. Hopefully, by adopting the Everywhere Work mindset, that growth and change will include significantly increased retention, engagement and productivity.