Successfully engaging with the board may not make or break a CISO’s career, but it’s becoming an increasingly important skill — particularly as risk-conscious boards seek strategic security insights.
The challenge isn’t just about presenting technical information — it’s aligning security with the board’s priorities and business objectives.
However, CISOs can struggle to decipher the signals about exactly what boards do and don’t want to hear, but there are ways to decode their expectations and engage effectively.
Find an ally on the board
Finding a supporter or advocate can help CISOs align their own reporting with the board’s requirements and develop better engagement. “Get a board champion to help identify exactly what the board wants to hear,” says Stephen Bennett, group CISO at Dominos.
CISOs can spend a lot of time trying to work out what the board wants and creating all sorts of different types of reports hoping to get it right, but it’s easier to go to the source.
Bennett’s partnered with a board member and found it helped refine his approach to reporting. That meant realizing it’s necessary to have more into strategic, high-level insights or identifying technical information that needs explaining for directors without specific cybersecurity knowledge. “It was a surprise that some terms we use regularly, such as end-point, firewall or a NIST framework, the board didn’t quite understand,” he tells CSO.
He realized he’d need to bridge the gap for the board and was able to develop a glossary of terms and a white paper explaining compliance frameworks and standards relevant to the organization. It provided foundational information and ensured they were all using a common language.
“The idea is these two papers rarely change because the compliance requirements and frameworks to manage risks are relatively the same in maturity assessments,” he says.
With the basics covered, Bennett was then able to use his regular reports for updates on how they’re mitigating risks for the organization and reinforce the value of investment in cyber. “I’ll explain where we’re at from a maturity perspective, the things we did last year, the things we need to do next year, and the kind of budget we need,” he says.
This experience has helped him change his approach from delivering risk reports that read more like a risk register to strategic risk assessment in the language of the business. A change of reporting line to the CFO also helped him craft business-oriented reporting.
“It’s only when you report to someone not involved in technology that you realize you’re talking in jargon or not close to talking the language of the business,” says Bennett.
Decoding what the board wants from security leaders
Cybersecurity leaders need regular contact with boards to foster familiarity and understanding. Without this, a lack of clarity can lead to either oversharing technical details or not providing enough strategic context.
Paul Connelly, former CISO turned board advisor, independent director and mentor, finds many CISOs focus too heavily on metrics while the board is looking for more strategic insights. The board doesn’t need to know the results of your phishing test, says Connelly. Boards are focused on risks the organization faces, strategies to address these risks, progress updates, obstacles to success, and whether they’re tackling the right things.
“I coach CISOs to study their board — read their bios, understand their background, and understand the fiduciary responsibility of a board,” he says. The goal is to understand the make-up of the board and their priorities and channel their metrics into risk and threat analysis for the business.
Using this information, CISOs can develop a story about their program aligned with the business. “That high-level story — supported by measurements — is what boards want to hear, not a bunch of metrics on malicious emails and critical patches or scary Chicken Little-type of threats,” Connelly tells CSO.
However, it’s not a one-way interaction, yet many CISOs are engaging with boards that lack the appropriate skills and understanding to foster meaningful discussions on cyber threats. “Very few boards have any directors with true expertise in technology or cyber,” says Connelly.
Only 5% of companies have cybersecurity experts on their boards, according to a 2024 Diligent Institute report, suggesting that the majority of boards struggle with cybersecurity oversight.
Although technology is integral to innovation and growth, and the associated risks are among the biggest and most-complicated most companies face, many boards don’t have the skills to tackle the topic. “They’re rubber-stamping what management presents or asking the top five canned questions they read in an article from McKinsey, but not able to probe any further into the answers they get,” Connelly says.
He suggests CISOs include brief training videos, conduct board tabletop exercises, or include additional educational materials in their quarterly board book. “Anything that will help fill the gap in expertise.”
Getting beyond the Yes or No questions and the disconnect between board and cybersecurity
There’s a significant disconnect between CISOs views of cybersecurity priorities and their boards across a range of areas. According to the Splunk CISO report, CISOs are more likely to think depth of knowledge is an important skill, while boards want CISOs to be better at communicating and have higher business acumen. Furthermore, boards are more likely than CISOs to insist on validation testing for existing cybersecurity controls and think compliance is indicative of success.
This gap in cyber understanding can leave directors poorly equipped to get the most out of CISOs and their expertise.
“You need to appreciate that some board members will be very interested in cybersecurity and some won’t be. Sometimes you have to pitch the report to the whole gamut of board members — some want infinite detail, while others just want to hear: ‘Is everything okay, yes or no?” says Bennett.
To move beyond ‘yes’ and ‘no’ questions and provide the board with valuable contextual insights and strategic guidance, CISOs need more than check-the-box exercises. Bennett has found that drawing on additional information sources is an effective way to unpack real-world risks and implications for the business. “I won’t just say: ‘These are the risks’. I’ll provide some context to help them understand things more deeply,” says Bennett.
News articles about security incidents can be linked to security controls, how the budget is being applied and what that means for the organization’s risk level and response times if facing the same kind of threat. “Instead of just giving figures, I’ll show them how our investment worked. For example, how we went from potentially taking five team members three days to resolve an incident, to resolving it in four hours with complete visibility,” he says.
Finding opportunities to engage with board members outside of formal meetings is another powerful way for CISOs to improve their exchanges with board members.
Whether it’s through committees or ad-hoc one-on-one meetings, these engagements help develop the rapport with board members, according to the IANS 2025 State of the CISO report.
Connelly believes it’s another important factor in a successful working relationship between the CISO and the board. During his time as a CISO, he was invited to board dinners and really got to know the audit committee members.
“That level of access and comfort facilitated good discussions where board members were comfortable asking questions,” he says.
No Responses