{"id":2747,"date":"2025-04-14T06:00:00","date_gmt":"2025-04-14T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2747"},"modified":"2025-04-14T06:00:00","modified_gmt":"2025-04-14T06:00:00","slug":"what-boards-want-and-dont-want-to-hear-from-cybersecurity-leaders","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2747","title":{"rendered":"What boards want and don\u2019t want to hear from cybersecurity leaders"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Successfully engaging with the board<\/a> may not make or break a CISO\u2019s career, but it\u2019s becoming an increasingly important skill \u2014 particularly as risk-conscious boards<\/a> seek strategic security insights.<\/p>\n

The challenge isn\u2019t just about presenting technical information \u2014 it\u2019s aligning security with the board\u2019s priorities and business objectives.<\/p>\n

However, CISOs can struggle to decipher the signals about exactly what boards do and don\u2019t want to hear, but there are ways to decode their expectations and engage effectively.<\/p>\n

Find an ally on the board<\/h2>\n

Finding a supporter or advocate can help CISOs align their own reporting with the board\u2019s requirements and develop better engagement. \u201cGet a board champion to help identify exactly what the board wants to hear,\u201d says Stephen Bennett, group CISO at Dominos.<\/p>\n

CISOs can spend a lot of time trying to work out what the board wants and creating all sorts of different types of reports hoping to get it right, but it\u2019s easier to go to the source.<\/p>\n

Bennett\u2019s partnered with a board member and found it helped refine his approach to reporting. That meant realizing it\u2019s necessary to have more into strategic, high-level insights or identifying technical information that needs explaining for directors without specific cybersecurity knowledge. \u201cIt was a surprise that some terms we use regularly, such as end-point, firewall or a NIST framework, the board didn\u2019t quite understand,\u201d he tells CSO.<\/p>\n

He realized he\u2019d need to bridge the gap for the board and was able to develop a glossary of terms and a white paper explaining compliance frameworks and standards relevant to the organization. It provided foundational information and ensured they were all using a common language.<\/p>\n

\u201cThe idea is these two papers rarely change because the compliance requirements and frameworks to manage risks are relatively the same in maturity assessments,\u201d he says.<\/p>\n

With the basics covered, Bennett was then able to use his regular reports for updates on how they\u2019re mitigating risks for the organization and reinforce the value of investment in cyber. \u201cI\u2019ll explain where we\u2019re at from a maturity perspective, the things we did last year, the things we need to do next year, and the kind of budget we need,\u201d he says.<\/p>\n

This experience has helped him change his approach from delivering risk reports that read more like a risk register to strategic risk assessment in the language of the business. A change of reporting line to the CFO also helped him craft business-oriented reporting.<\/p>\n

\u201cIt\u2019s only when you report to someone not involved in technology that you realize you\u2019re talking in jargon or not close to talking the language of the business,\u201d says Bennett.<\/em><\/p>\n

Decoding what the board wants from security leaders<\/h2>\n

Cybersecurity leaders need regular contact with boards to foster familiarity and understanding. Without this, a lack of clarity can lead to either oversharing technical details or not providing enough strategic context.<\/p>\n

Paul Connelly, former CISO turned board advisor, independent director and mentor, finds many CISOs focus too heavily on metrics while the board is looking for more strategic insights. The board doesn\u2019t need to know the results of your phishing test, says Connelly. Boards are focused on risks the organization faces, strategies to address these risks, progress updates, obstacles to success, and whether they\u2019re tackling the right things.<\/p>\n

\u201cI coach CISOs to study their board \u2014 read their bios, understand their background, and understand the fiduciary responsibility of a board,\u201d he says. The goal is to understand the make-up of the board and their priorities and channel their metrics into risk and threat analysis for the business.<\/p>\n

Using this information, CISOs can develop a story about their program aligned with the business. \u201cThat high-level story \u2014 supported by measurements \u2014 is what boards want to hear, not a bunch of metrics on malicious emails and critical patches or scary Chicken Little-type of threats,\u201d Connelly tells CSO.<\/p>\n

However, it\u2019s not a one-way interaction, yet many CISOs are engaging with boards that lack the appropriate skills and understanding to foster meaningful discussions on cyber threats. \u201cVery few boards have any directors with true expertise in technology or cyber,\u201d says Connelly.\u00a0<\/p>\n

Only 5% of companies have cybersecurity experts on their boards, according to a 2024 Diligent Institute report<\/a>, suggesting that the majority of boards struggle with cybersecurity oversight.<\/p>\n

Although technology is integral to innovation and growth, and the associated risks are among the biggest and most-complicated most companies face, many boards don\u2019t have the skills to tackle the topic. \u201cThey\u2019re rubber-stamping what management presents or asking the top five canned questions they read in an article from McKinsey, but not able to probe any further into the answers they get,\u201d Connelly says.<\/p>\n

He suggests CISOs include brief training videos, conduct board tabletop exercises, or include additional educational materials in their quarterly board book. \u201cAnything that will help fill the gap in expertise.\u201d<\/p>\n

Getting beyond the Yes or No questions and the disconnect between board and cybersecurity<\/h2>\n

There\u2019s a significant disconnect between CISOs views of cybersecurity priorities and their boards across a range of areas. According to the Splunk CISO report<\/a>, CISOs are more likely to think depth of knowledge is an important skill, while boards want CISOs to be better at communicating and have higher business acumen. Furthermore, boards are more likely than CISOs to insist on validation testing for existing cybersecurity controls and think compliance is indicative of success.<\/p>\n

This gap in cyber understanding can leave directors poorly equipped to get the most out of CISOs and their expertise.<\/p>\n

\u201cYou need to appreciate that some board members will be very interested in cybersecurity and some won\u2019t be. Sometimes you have to pitch the report to the whole gamut of board members \u2014 some want infinite detail, while others just want to hear: \u2018Is everything okay, yes or no?\u201d says Bennett.<\/p>\n

To move beyond \u2018yes\u2019 and \u2018no\u2019 questions and provide the board with valuable contextual insights and strategic guidance, CISOs need more than check-the-box exercises. Bennett has found that drawing on additional information sources is an effective way to unpack real-world risks and implications for the business. \u201cI won\u2019t just say: \u2018These are the risks\u2019. I\u2019ll provide some context to help them understand things more deeply,\u201d says Bennett.<\/p>\n

News articles about security incidents can be linked to security controls, how the budget is being applied and what that means for the organization\u2019s risk level and response times if facing the same kind of threat. \u201cInstead of just giving figures, I\u2019ll show them how our investment worked. For example, how we went from potentially taking five team members three days to resolve an incident, to resolving it in four hours with complete visibility,\u201d he says.<\/p>\n

Finding opportunities to engage with board members outside of formal meetings is another powerful way for CISOs to improve their exchanges with board members.<\/p>\n

Whether it\u2019s through committees or ad-hoc one-on-one meetings, these engagements help develop the rapport with board members, according to the IANS 2025 State of the CISO report<\/a>.<\/p>\n

Connelly believes it\u2019s another important factor in a successful working relationship between the CISO and the board. During his time as a CISO, he was invited to board dinners and really got to know the audit committee members.\u00a0<\/p>\n

\u201cThat level of access and comfort facilitated good discussions where board members were comfortable asking questions,\u201d he says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Successfully engaging with the board may not make or break a CISO\u2019s career, but it\u2019s becoming an increasingly important skill \u2014 particularly as risk-conscious boards seek strategic security insights. The challenge isn\u2019t just about presenting technical information \u2014 it\u2019s aligning security with the board\u2019s priorities and business objectives. However, CISOs can struggle to decipher the […]<\/p>\n","protected":false},"author":0,"featured_media":2742,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2747","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2747"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2747"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2747\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2742"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}