Ross Young is the CISO in residence at Team8 and the creator of the OWASP Threat and Safeguard Matrix (TaSM). In this interview, he shares his perspective on how cybersecurity professionals can tailor their presentations to the board, aligning security strategies with business priorities.
He also discusses common misconceptions that boards have about cybersecurity and offers practical advice on building lasting relationships with executives to ensure cybersecurity stays front and center in ongoing business discussions.
What key considerations should cybersecurity professionals consider when tailoring their presentation to align with the board’s priorities?
Cybersecurity leaders who present to their boards need to frame cybersecurity initiatives in terms of business growth and revenue impact rather than just risk mitigation. Board members want to understand how security programs directly affect the company’s bottom line, so presentations need to highlight how security measures enhance customer confidence and drive sales completion. For example, with eCommerce, when streamlined multi-factor authentication makes transactions smoother, it can measurably reduce cart abandonment rates and increase revenue.
Cybersecurity professionals can strengthen their case by sharing concrete examples of how vulnerability management protects revenue-generating services. They might demonstrate how proactive security testing kept critical customer-facing applications running during peak sales periods, maintaining revenue flow while competitors experienced disruptions. Stories about effective disaster recovery planning that preserved business operations during challenging times can particularly resonate with board members.
By speaking the board’s language of business value and profitability, security professionals can more effectively gain support and resources for their programs. The key is consistently linking security initiatives to measurable business outcomes.
What common misconceptions do boards have about cybersecurity, and how can they be addressed?
First, boards frequently believe that sufficient spending alone can prevent all cyberattacks. That’s simply not the case and overlooks how security works across all three defense lines. While investment is important, organizations need coordinated effort between operational management (first line), risk management functions (second line), and internal audit (third line) to create an effective security posture. Complete attack prevention is impossible, making resilience and response capabilities equally important as preventive measures.
Another misconception is overvaluing certifications like ISO 27001 and SOC2 Type 2. While these certifications satisfy second-line compliance requirements and help with customer assurance, they don’t automatically translate to robust security. The first line of defense, including developers and operational staff, must actively implement security practices in their daily work, regardless of certification status.
Finally, boards often misunderstand security ownership. While the security team typically operates in the second line of defense alongside risk management and compliance functions, primary responsibility for security begins with first-line operational teams, particularly developers securing their applications. The third line (internal audit) provides independent assurance, but cannot substitute for strong first-line security practices.
What common pushbacks or challenges might cybersecurity leaders face when presenting to the board, and how should they address them?
One of the most difficult is communicating persistent risks transparently, particularly when limited progress has been made in addressing them. Leaders may feel pressure to downplay these ongoing vulnerabilities, but doing so can create a false sense of security. The key is to frame these ongoing risks in terms of business impact while presenting realistic, staged approaches to risk reduction over time.
Another substantial challenge is discussing risks that could create liability for the company. Security leaders must balance their obligation to inform the board about significant threats while being mindful of how such discussions could affect legal exposure. Working closely with legal counsel to structure these conversations appropriately can help navigate this sensitive territory.
Perhaps most challenging is the common issue of insufficient time allocated for cybersecurity discussions at board meetings. With complex technical topics and evolving threats to cover, the typical brief time slot often proves inadequate for meaningful dialogue. Security leaders can address this by preparing concise, business-focused briefing materials in advance and prioritizing the most critical issues for discussion. When time constraints persist, they should advocate for dedicated sessions to ensure proper oversight of cybersecurity matters.
What metrics or KPIs most effectively communicate cybersecurity status to a non-technical audience?
The most successful presentations focus on trend data rather than technical details, always connecting metrics back to business objectives. Select a small number of high-impact measurements that clearly demonstrate both progress and challenges in terms board members naturally understand.
When presenting cybersecurity status to non-technical board members, focus on metrics that clearly demonstrate business impact and risk. For example, risk reduction metrics using visual risk matrices provide an intuitive way to show progress in reducing threats. Security investment and ROI metrics, particularly cost per incident and budget utilization, resonate strongly as they align with financial decision-making.
Incident detection & response metrics tell a compelling story about operational effectiveness, while third party and supply chain risk metrics highlight vulnerabilities in critical business relationships. These can be effectively paired with threat landscape metrics to provide context about the current security environment.
What strategies work best to foster ongoing dialogue rather than one-off presentations?
Regular engagement through executive risk committees provides a more effective platform for cybersecurity discussions than isolated board presentations. Monthly meetings with the C-Suite allow security leaders to maintain consistent visibility of evolving threats and progress on security initiatives. This cadence enables more nuanced discussions and helps executives develop a deeper understanding of cybersecurity challenges over time.
However, since not all organizations have formal risk committees, security leaders may need to create alternative channels for ongoing dialogue. This might include quarterly business alignment sessions, regular security updates integrated into existing executive meetings, or informal briefings with key stakeholders. The key is establishing a predictable rhythm of communication that keeps cybersecurity consistently on the executive agenda rather than treating it as a periodic compliance exercise.
By maintaining regular touchpoints, security leaders can build stronger relationships with executives and ensure cybersecurity remains a continuous part of strategic business discussions rather than an annual presentation exercise.
Read more: