Despite cybersecurity’s prominence as a top-three priority, alongside corporate growth and financial performance, there’s a persistent gap between what board members need to know and how cybersecurity is presented to them. This disconnect is both a communications issue and a critical vulnerability that could leave organizations exposed to financial losses and reputational damage.
Board members know the stakes. They understand the stark reality that attackers need only to reach their objective once to cause catastrophic damage and reputational harm. They’re also acutely aware of the cybersecurity skills gap, the ever-evolving threat landscape and the rising costs of breaches. Still, a number of businesses report that, while cybersecurity is a high priority for leadership, board members are often left dissatisfied with the clarity, transparency or relevance of cybersecurity briefings. This frustration poses a significant challenge for chief information security officers (CISOs): Without clear and compelling communication, gaining the board’s support — and the resources required to protect the organization — remains an uphill battle.
Bridging the Communication Gap: What’s Missing?
Consider these striking statistics:
- Less than 15% of board members report being highly satisfied with their organization’s cybersecurity posture.1
- Nearly one third of board members are dissatisfied with the quality of information they receive about cybersecurity risks.2
- Over 30% of leaders believe their CISOs are presenting an overly optimistic view of their cybersecurity health.3
These numbers paint a troubling picture. Despite regular communication between cybersecurity leaders and boards, something is still lost in translation. The guidance and recommendations provided by CISOs and CIOs are not resonating with board members, leaving critical gaps in understanding and decision-making.
Why is this happening? The answer lies in a persistent disconnect: Not enough security leaders are communicating in business terms that resonate with the board. While many CISOs have made strides in avoiding technical jargon and focusing on results, a significant gap remains between what boards need to hear and what they’re receiving.
For example, one of the most pressing questions a board member could ask is, “What is our risk profile?” Risk is the language of the boardroom — board members want to understand how cybersecurity risks translate into business consequences:
- What does this mean for our competitive position?
- How does this affect our legal and regulatory obligations?
- Are our employees or customers at risk?
- Could this damage our brand reputation?
Answering these questions effectively requires both technical expertise and the ability to frame risks in the context of business impact. Board members rarely want to hear about algorithms, Zero Trust architectures or detailed vulnerability reports. They want to know how cybersecurity risks affect business outcomes, from missed ROI targets and industry benchmarks to regulatory fines and competitive disadvantages.
Not surprisingly, the natural follow-on question to risk is, “What are we doing about it?”
Board members expect clear, honest answers that focus on what matters most: minimizing risk, achieving business goals and ensuring sustainable, long-term success. They want to know what cybersecurity teams have done, are doing, and will do — not just the reactive measures they’ve taken to address the latest attack. They want proactive strategies to future-proof the organization.
This leads to another critical question: “What risks are you tracking that could disrupt our operations and success in the near term?” To earn and maintain the board’s trust and support, cybersecurity leaders must demonstrate foresight and a readiness to address risks that have yet to fully emerge. Effective communication means conveying what you know and how you are preparing for the unknown.
James Shira, former network CISO and now global CIO at PwC, underscored this need for improved communication in Navigating the Digital Age. In 2018, he wrote: “Communication skills are going to be particularly important as the CISO acts as a ‘translator’ between the technical and business sides.” Shira highlighted the importance of presenting cybersecurity as a balance between business opportunity and business risk — a perspective that board members intuitively understand.
Even today, that insight remains strikingly relevant. In fact, from my vantage point, with the increased complexity of the threat landscape and the velocity of AI-driven attacks, the CISO’s role as a strategic business translator is more vital than ever.
Budgets: Speaking the Board’s Language
Budget discussions often spark friction, but they are critical to aligning cybersecurity needs with business goals. Board members want to know, “What are the financial and operational benefits of this expenditure?”
To secure funding, CISOs must translate technical needs into business outcomes that resonate with directors. For example, instead of simply noting the cybersecurity skills gap, frame hiring requests in terms of measurable business benefits:
- Weak: “We need more people to monitor anomalous behavior.”
- Strong: “Additional SOC resources will improve online ordering system uptime from 92% to 97%, saving $2 million annually in remediation costs and boost e-commerce revenue by $4 million per quarter.”
Similarly, when pitching tools like a generative AI threat detection system, shift the focus from features to outcomes:
- Weak: “This will cost $500,000 to deploy across the enterprise.”
- Strong: “This investment will enable closer collaboration between security engineers and developers, reducing production delays, avoiding costly patches and improving customer trust.”
The Bottom Line
When communicating with board members, language is everything. Every conversation should focus on how cybersecurity aligns with business goals, mitigates risks and delivers measurable value. While effective communication is a soft skill, it’s a strategic necessity. By speaking the board’s language, CISOs can secure the trust, support and resources needed to safeguard the organization in an increasingly complex threat landscape.
Curious about what else Chris has to say? Check out his other articles in Perspectives.
1“Securing Success: Talking to the Board About Cyber Risk,” National Cybersecurity Alliance, December 15, 2023.
2Life and Times of Cybersecurity Professionals, Volume VI, Enterprise Strategy Group, November 30, 2023.
3Ibid.
