It’s often assumed that if the board knew exactly what they wanted to hear from the CISO, they would simply communicate it. Unfortunately, that’s not always the case. This leaves the CISO in the difficult position of trying to gauge the board’s expectations and deliver a briefing that resonates with their concerns. However, this also presents an opportunity for the CISO to shape the board’s understanding and priorities.
A strategic CISO will begin by engaging board members separately to learn what they specifically want to know about cybersecurity risk. While board members may not be interested in the technical aspects of system security, they are deeply concerned with how cybersecurity impacts the organization’s ability to function. They also care about financial risk and operational stability. Ideally, the board will also recognize how cybersecurity can serve as a competitive advantage.
For these reasons, the CISO should gather input from other executives on what the board might want to hear and how they prefer to receive information. The focus, therefore, should be on meeting the board’s specific concerns.
When the time comes to brief the board, the CISO usually has 15-20 minutes to present. While topics may vary, the general structure often includes:
- An overview of the cybersecurity program and risk exposure.
- Key incidents since the last briefing.
- Status updates on major cybersecurity initiatives.
- A summary of the threat landscape and emerging risks, along with the CISO’s response.
- Requests for board support, such as assistance with interdepartmental challenges or budget increases.
It’s crucial to frame cyber risk in financial terms, addressing both potential losses and cost savings. All cybersecurity programs should aim to reduce risk while creating business opportunities, such as enabling secure online transactions. To this end, CISOs should begin by discussing the financial risks of cybersecurity failures, including data breaches, system outages, insider threats, and data loss—concerns central to board members.
CISOs must also quantify these risks using cyber risk quantification (CRQ) tools or consulting services, though keep in mind that both vary in quality. The board will likely ask, “How were these numbers calculated?” and expect transparent, justifiable risk assessments. The CISO must be prepared to explain the data behind these figures rather than relying on appealing visuals or vague estimates.
When discussing ongoing projects and seeking funding, the CISO should clearly demonstrate the financial impact of their work. For example, they could state: “We’re X% complete on this project and have reduced risk by $XX million. We expect to achieve further reductions according to this schedule…” This financial framing demonstrates progress and the value of the CISO’s initiatives.
Similarly, when requesting additional funding, CISOs should tie the request to financial benefits, such as: “I propose we invest $XXX,XXX in this technology, which will reduce our exposure by $XX million.”
In essence, the CISO is building a business case in terms the board understands. While no two boards are alike, and every CISO may approach the conversation differently, presenting cyber risk and mitigation strategies in financial terms—highlighting return on investment—is the most effective way to align with the board’s priorities. At CYE, we’ve found that defensible numbers and clear financial outcomes help CISOs win support from even the most skeptical board members.
About the Author
Ira Winkler is the Field CISO and VP for CYE. Ira is the Executive Director of the Human Security Engineering Consortium, former Chief Security Architect at Walmart and author of You Can Stop Stupid. He is considered one of the world’s most influential security professionals and has been named a “Modern Day James Bond” by the media. He did this by performing espionage simulations, where he physically and technically “broke into” some of the largest companies in the World and investigated crimes against them, telling them how to cost-effectively protect their information and computer infrastructure. He continues to perform these espionage simulations, as well as assisting organizations in developing cost-effective security program. Ira Winkler can be reached at our company website www.cyesec.com