Ivanti Blog: Posts by

How CEOs Want CISOs to Communicate Cybersecurity Risk Management Strategy

Tue, 17 Feb 2026 13:00:01 Z

Most CEOs can recite their quarterly benchmarks and revenue down to the decimal point, but ask them about their organisation's cyber risk exposure, and the answers become more vague. It's not that today’s CEOs don’t care about security — cybersecurity ranks among the top concerns for boards and executive teams. The problem runs deeper: a fundamental breakdown in how security risks are explained to business leaders that overlooks the impacts on their business outcomes.

Lack of competence is not the cause of most communication issues between CISOs and CEOs. They stem from a familiar problem: the curse of knowledge. The curse of knowledge is a common challenge where experts — in this case security leaders — might assume that everyone in the room has a baseline understanding of technical information and terminology, so they fail to break down complex risks into plain language and elaborate on real-world context.

Ivanti’s 2026 State of Cybersecurity Report underscores this disconnect. Nearly six in 10 security professionals say their teams are only moderately effective at communicating risk exposure to executive leadership.

When CEOs and CISOs don’t speak the same language, critical business vulnerabilities can be obscured by technical jargon. When communication breaks down, organisations waste time and money on misdirected investments while gaps in protection go unnoticed until a breach forces the conversation.

With threat levels rising, AI-enabled attacks are becoming more sophisticated, and data breaches make headlines weekly. The stakes for clear communication between CISOs and executive leadership have never been higher.

To understand why this communication gap persists, we need to examine both the fundamental challenges and the metrics being used to measure success.

Why cyber risk communication fails: the curse of knowledge

That disconnect between CEOs and CISOs isn’t caused by a lack of data. If anything, it’s the opposite. From the CEO's seat, the challenge isn’t attention or intent. Rather, it’s seeing dashboards, metrics, acronyms and severity scores without understanding the impact of these results on the whole business.

Security leaders need to assume that many in the room don’t understand the implications of terms like CVSS scores, attack surfaces and zero-day vulnerabilities. CEOs want more than dashboards filled with metrics, acronyms and severity scores.

Cybersecurity briefings need to go a step further and demonstrate the financial, legal, and reputational implications of these results for the business. A CISO might report "587 critical vulnerabilities detected this month" when what the CEO actually needs to know is: "Which of these threaten our ability to serve customers and what's our plan to address them?"

Cybersecurity KPIs that matter to CEOs

Useful KPIs clearly connect vulnerability management efforts to business risk. However, our cybersecurity research finds that the most used KPIs used by security teams fail to reflect risk context.

Currently, only half of companies (51%) track cybersecurity exposure scores or other risk-based indexes. Many security teams still rely on process metrics such as mean time to remediate (47%) or percentage of exposures remediated (41%).

Metrics like MTTR, patch velocity and percentage remediated matter to security teams, but they measure operational efficiency, not business exposure or potential financial impact. In isolation, they can look reassuring while obscuring the real question: are we managing our risk effectively?

These metrics, which focus on speed and coverage, may look positive on their own, but don’t do much to show whether current remediation efforts actually improve risk posture. It matters less how quickly vulnerabilities are remediated and how many are addressed. What matters more is whether the right problems are being addressed.

Shared understanding between security teams and the board and C-Suite requires grounding inscrutable metrics in real-life stakes. For CEOs, this means aligning with your CISO on the most important risks to your specific organisation — are you a financial institution that frequently faces sophisticated fraud schemes, strict compliance requirements like PCI-DSS and SOX and the constant threat of ransomware targeting customer financial data? Are you a healthcare organisation grappling with securing an expanding network of connected medical devices while maintaining rigorous compliance standards to protect sensitive patient data?

Let’s illustrate the difference between an executive security briefing that relies only on technical metrics vs. one that adds context and business impact.

What the CISO says:

"We discovered 11,000 vulnerabilities.”
"MTTR is down to 15 days from 25 days."
"We achieved an 88% remediation rate on critical CVEs."

What the CEO actually needs to know:

"We’ve identified ten critical vulnerabilities that could impact revenue-generating systems."
"If attacked today, we can restore critical operations in six hours compared to 48 hours last year."
"This protection enables us to pursue EU expansion without additional compliance risk."

Building an executive-level risk appetite framework

Executive communication depends on shared frameworks and a common point of reference for how risk is defined, measured and discussed. To eliminate inconsistencies and confusion, all stakeholders should be involved in creating and enforcing a risk appetite framework.

A major goal of these conversations is helping business leaders understand that the goal of the cybersecurity programme isn't to be completely “risk free” — it’s impossible for any modern organisation to become completely risk free. In other words, CEOs must be able to distinguish between their risk appetite and risk posture.

1. Risk appetite: how much risk their business is currently willing to tolerate in pursuit of its overarching goals.

2. Risk posture: the reality of the organisation’s current risk exposure.

Most organisations now recognise the need to formalise how much cyber risk they’re willing to accept. Ivanti’s research shows more than 80% of organisations have a documented risk appetite framework.

However, fewer than half of the organisations say these frameworks are closely followed in day-to-day operations. When frameworks exist on paper but don't guide actual decisions, it is highly likely that your organisation’s risk appetite and risk posture are not aligned.

How exposure management bridges the communication gap

Exposure management is a risk-based approach that continuously identifies, prioritises and validates the scope of potential threats across the entire attack surface. Practising exposure management helps unite security and executive leaders around a single, comprehensive strategy that reorients cybersecurity around business-critical risk.

Instead of treating all vulnerabilities as equal, exposure management focuses on identifying and prioritizing the organization's highest risks by asking:

Which current exposures are threat actors exploiting in the wild?
Which assets need to be prioritised based on current business operations?
Which assets, if compromised, would have the greatest impact in terms of reputational, customer, or legal damages?

Ivanti’s research report shows that nearly two-thirds of organisations now invest in exposure management, and leadership understanding has increased year over-year. But execution still lags: Only about a quarter of organisations rate their ability to assess risk exposure as excellent.

To close that gap and operationalize exposure management effectively, CISOs should anchor executive communication around three principles

1. Translate technical signals into business context. Instead of reporting vulnerability counts, explain which exposures affect revenue-generating systems, customer data or regulated environments.

2. Prioritise emerging threats by impact, not volume. Executives don’t need to track every new attack technique. They need to understand which situations could materially disrupt the business and how prepared the organisation is to respond.

3. Use scenarios, not spreadsheets. Narratives that connect cause, impact and outcome, backed by data, help leaders internalise risk and make faster decisions.

This approach shifts your risk mitigation strategy from reactive defence to proactive decision-making.

The path forward

When executives and security leaders speak the same language, the curse of knowledge can be broken and cybersecurity becomes a strategic enabler that protects business value, enables growth and turns security strength into competitive advantage.

The curse of knowledge can be broken — one translated metric, one business-focused conversation, and one clear decision at a time.

How to Measure the Business Impact of Digital Employee Experience (DEX)

Wed, 08 Oct 2025 13:00:00 Z

Not long ago, digital employee experience (DEX) was just a line on an IT report — something to track uptime, device issues and help desk tickets. Those metrics matter to IT, but they don’t always resonate with the C-suite. But behind the numbers is a larger story: every slowdown, every frustrating login, every delayed ticket chips away at productivity, engagement and business results. Today, DEX isn’t just an IT metric — it’s a measure of how well your organisation performs, yet too few leaders are connecting the dots.

Put simply, DEX makes it easier and more enjoyable for employees to use the technology they rely on every day. When employee technology interactions are seamless, organisations move faster and innovate more easily. When they’re full of friction, the costs — both financial and human — add up quickly.

This shift gives CIOs a powerful opportunity: to move beyond being viewed as service providers and instead be recognised as strategic leaders. By relating DEX to business KPIs — not just operational metrics — they can show how IT directly fuels productivity, innovation and long-term business growth. When metrics speak the language of business outcomes, DEX becomes a strategic lever, not just an IT initiative. 

The data tells the story: DEX strategy must evolve

In 2025, CIOs can build a strong DEX strategy by tying it directly to measurable business outcomes. That’s why we launched the 2025 Digital Employee Experience Report: Next-Level DEX, talking to over 3,300 IT professionals and end users worldwide to see what’s working, what’s not and the biggest barriers to better digital experiences.

The results reveal a striking DEX maturity gap. While 67% of organisations rate their DEX maturity as high (level 3 or 4), many fail to implement foundational best practices. Companies often confuse owning DEX tools with delivering an improved digital experience.

Our research shows that while most IT leaders recognise the importance of DEX for employees and company culture, many still struggle to measure its impact and prove its value. In fact, 77% say they track DEX and 85% call it a high priority, yet only 23% have advanced strategies with comprehensive monitoring and automation. Despite investments, many teams continue to face challenges with automation, endpoint visibility and digital sprawl.

The cost of getting DEX wrong is rising. Every lagging process, redundant tool or unresolved tech issue slows the enterprise, raising both financial and cultural costs. Digital friction — slow apps, poor connections and complex workflows — continues to frustrate employees and erode productivity.

Many organisations still struggle to track DEX

Our 2025 DEX Report shows that less than half of organisations use DEX scores to monitor employee experience — with only 48% of IT professionals reporting using them and just 24% tracking traditional satisfaction metrics like CSAT.

This points to a bigger problem we’ve likely all felt: many organisations aren’t measuring digital experiences or connecting them to meaningful outcomes. This, in turn, makes it more challenging to clearly point to which IT investments are making work easier and more satisfying.

While device performance (42%) and ticket resolution speed (39%) get nearly as much attention as DEX scores, the focus for improvements often leans toward operational efficiency rather than a holistic view of the employee experience. That means employees can feel frustrated, overlooked and demoralised — and the business misses out on the productivity and engagement that a more seamless experience could deliver.

Measuring what matters to the C-suite

If we want to quantify DEX metrics, we need to tie it to outcomes the business is already tracking. In my experience, there are four key areas for executives to focus on:

1. Productivity gains

Consider the impact of everyday tech interruptions. On average, employees tell us they experience 3.6 disruptions per month from IT issues and 2.7 from mandatory security updates. If it takes roughly 15 minutes each to resolve each issue, that adds up to 1.6 hours lost per employee every month. Hypothetically, for a 2,000-person company with a fully-loaded hourly cost of $100, the annual productivity loss approaches $4 million — showing how even small friction points scale into major business costs.

Digital friction also drives burnout. Nearly 1 in 4 IT professionals (23%) report a colleague has resigned due to workplace stress.

2. Cost savings

DEX uncovers wasted resources and hidden inefficiencies across the organisation. Many organisations see IT problems but rely on manual fixes, leading to downtime and wasted effort. Key opportunities for improvement include:

Optimised endpoint management: automating patching, provisioning and device maintenance lowers support costs.
Process automation: reducing routine IT tasks frees staff to focus on strategic initiatives.
Risk reduction: fewer security incidents and improved compliance through accurate asset inventories reduce potential financial losses.

Self-healing systems automatically detect, diagnose and fix issues before users notice, letting analysts and admins focus on strategic challenges. When quantified, these efficiencies produce measurable savings and a clear ROI that speaks directly to finance and operations leaders.

3. Stronger security and compliance

A complete asset inventory helps enforce policy and reduce risk. Poorly managed systems lead to employees resorting to using shadow IT to address their issues — our report showed that 27% of employees use unauthorised apps and nearly 40% bypass traditional IT-provided support channels (often because it’s faster than waiting for IT). Automated monitoring allows IT to maintain compliance, patch systems and reduce friction for employees, which ultimately protects the company and enhances security. Key experience and security metrics include eNPS, satisfaction surveys, patch compliance and asset inventory accuracy.

4. Employee retention and advocacy

It’s 2025 and organisations must think beyond traditional IT metrics. Employees now expect seamless, intuitive tools that make their work easier and more productive. A strong DEX strategy drives higher eNPS, lower turnover and stronger employer branding.

Reducing digital friction doesn’t just make work easier — it helps retain talent, prevents costly turnover and fosters a more connected, productive culture. Prioritising DEX also bridges gaps between HR and employees while strengthening your employer brand through more positive reviews on platforms like Glassdoor. After all, employees are the lifeblood of any company. Improving their experience isn’t just good for the people — it’s quantifiably good for business.

A practical measurement framework

Only 23% of companies report having advanced DEX strategies — those that combine monitoring, security, remediation and HR integration. Yet the payoff is clear: by tying metrics like mean time to resolve (MTTR), automation rates, licence recovery and vendor savings directly to business outcomes, IT leaders can show that DEX isn’t just an IT initiative — it’s a driver for growth and innovation.

The organisational imperative

The hardest part of DEX isn’t technology — it’s organisational buy-in. Gartner predicts that by 2027, 80% of DEX initiatives will fail if they remain siloed in IT.* Optimising the employee experience requires HR, operations, finance and security all collaborating at the table. For CIOs, that means translating technical wins into a strong DEX strategy with business results:

Today, a strong, measurable DEX strategy isn’t optional — it’s a competitive advantage.  As CIOs, we must translate operational wins into business results:

“We reduced MTTR by 30%” becomes “We gave employees back 12,000 hours of productive time last quarter.”
“We reclaimed unused licences” becomes “We saved $1.2M in hard-dollar costs.”

When metrics speak the language of business outcomes, DEX becomes a strategic lever, not just an IT initiative. 

The bottom line

DEX has moved far beyond IT. It’s a lever for productivity, cost savings, security and employee retention. By treating DEX as a business performance driver and connecting tools like UEM, ITSM, ITAM and AI-driven personalization into a cohesive ecosystem, organisations can reduce friction, accelerate innovation and deliver measurable business results.

The future of DEX isn’t more data — it’s measurable impact. By tying metrics to business outcomes and optimising the employee experience, organisations can unlock productivity, growth and innovation. Organisations that tie every metric to business outcomes, act proactively and optimise the employee experience will gain a decisive competitive edge.

Ready to take your DEX strategy to the next level? Explore the full 2025 Digital Employee Experience Report for more insights and best practices.

_{* Gartner® Magic Quadrant™ for Digital Employee Experience Management (DEX) Tools, Dan Wilson, Stuart Downes, Tom Cipolla, Autumn Stanish, Lina Al Dana, 10 January 2025}

Delivering on Our Commitment to Empower Customers with Future-Proof Solutions

Wed, 07 May 2025 13:00:03 Z

As I reflect on the tremendous progress our company has made since I joined three years ago, I want to take a moment to thank our customers for their continued trust and say how honoured and grateful I am to lead this incredible team.

Ivanti’s commitment to providing our customers with seamless, innovative, and secure solutions is unwavering. Our goal is to exceed industry standards, and we understood from the start that meaningful advancements do not happen overnight. I would like to share some of our recent updates with you today.

Financial Flexibility Enables Continued Progress and Innovation

Last week, Ivanti announced a pivotal transaction that provides us with an additional $350 million in capital and extends our current debt obligations until 2029. As we sat down with our investors to outline our journey toward a SaaS-focused model, their responses underscored their collective confidence in our progress and the long-term prospects for our business. Our newly optimised capital structure affords Ivanti financial flexibility as we continue our transformation and accelerate innovation to meet the evolving needs of our customers.

Industry-Defining Product Security Aligned with Secure by Design Principles

Over the past year, we have shared the many ways we have doubled down on our Secure by Design commitments, taking steps to secure our products, and backing these actions with substantial investments and increases in our security team resources. It was critical for us that our pledge be more than just lip service; we were committing to actively and consistently taking steps to incorporate Secure by Design principles into every stage of our product development and decision-making processes.

Our transition to a SaaS model marks another crucial step in delivering future-proof solutions to our customers. Cloud solutions are inherently more secure, and we have made meaningful efforts to remove any roadblocks–whether financial, contractual, or functionality-driven–to support customer migration to the most up-to-date offerings via a disciplined installed base management programme. Over the last 2.5 years, we have successfully migrated thousands of customers from on-prem to Ivanti Neurons solutions, with most new customers adopting our advanced, cloud-based offerings.

As part of our goal to ease the burden of security management for customers, we’ve made significant investments to automatically, and proactively counter current and future threats in our Ivanti Neurons cloud-based platform. As one example, we are rolling out important enhancements in our Neurons for Secure Access (nSA), which enable any Connect Secure edge appliance connected to nSA to be automatically patched by Ivanti in the event of a vulnerability. This technology aligns with our Secure by Design pledge and represents an important path forward for the industry in proactive security management.

Additionally, in April we announced Ring Deployment, an important innovation in Ivanti Neurons for Patch Management. An increasing number of N-Day compromises result from delays in patching, as IT teams manage a seemingly relentless stream of releases. Ring Deployment allows devices to be strategically organised based on specific needs or risk levels, enabling a controlled and prioritised patch rollout with minimal disruption to production systems. This reduces IT team strain, streamlines patch management, and fortifies customers’ environments.

Strength in Transparency and Proactive Vulnerability Management

Finally, I want to take a moment to touch on a topic that seems to get a lot of attention in the media.

At Ivanti, we view transparency as fundamental to customer trust and security. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of rigorous scrutiny and a proactive vulnerability management programme. By aggressively seeking to identify and address vulnerabilities, our aim is to get ahead of threat actors and ensure our customers can take the steps needed to protect themselves.

At Ivanti, we will always advocate for transparency in CVE disclosures, both for our own products, and across the industry. It is our belief that vulnerabilities that go unnoticed and unaddressed may keep companies out of the headlines, but it also means their customers do not have the insights needed to fully understand and protect against risks. To this end, we also engage deeply with the security community, maintain long-term partnerships with leading security experts, and actively collaborate with government agencies. We work with our partners to share intelligence with defenders that goes above and beyond standard disclosure practices. This helps prevent threat actors from replicating new attack patterns or threat vectors against others in the market, and we firmly believe this is a practice that everyone in the security and software industries should adhere to.

Looking Ahead

Ivanti is proud to be our customers’ trusted partner in IT management and security.

As we look forward, our comprehensive security strategy will continue to be anchored in customer-centricity, enabling our customers to thrive and focus on what they do best.

To all our customers — thank you for trusting us to be your partner in this journey. Together, we will continue to navigate the complexities of today’s threat landscape and build a secure and innovative future.

Warm regards,

Dennis Kozak
CEO, Ivanti