That disconnect matters more now because the cost of failure remains high, while the fight for resources is only getting harder. IBM’s 2025 Cost of a Data Breach Report found the global average breach cost reached $4.44 million, up 10% from the prior year. That same report said organizations facing high levels of security skills shortages saw much higher average breach costs, while organizations that used security AI and automation extensively reduced breach costs by an average of $3.65 million.
Those figures help explain the financial stakes of risk, but they don’t automatically translate into board support. Security leaders still have to show why specific risks warrant attention, what is at stake for the business and where action is most needed. Without that connection, even serious threats can remain too abstract to drive decisions.
Why board conversations still stall
Many board updates on risk fall short because they focus on reporting instead of decision-making.
Boards may hear about attempted attacks, open vulnerabilities, control gaps or audit findings, but those details alone do not tell them what decision is needed. A long list of risks does not create urgency if directors cannot see which exposures carry the greatest business impact, what is likely to happen if those issues remain unresolved and where management believes action should come first.
