How CISOs Can Communicate With Their Boards Effectively

COMMENTARY

The role of the chief information security officer (CISO) today is not the CISO's role of the past. The ever-evolving threat landscape, adoption of new technologies like generative AI (GenAI), increased regulatory pace, ongoing employee education and training programs, and maintaining operational resilience have found CISOs under increased pressure and stress. On top of this, 49% of CISOs now report to their board on at least a weekly basis, presenting them with a new skill they need to master: the art of communication.

Historically, board support increased only after a cyberattack, putting CISOs in a reactive rather than proactive role. But with today's increased visibility of breaches, product failures, and the legal ramifications amplified by the media, there's a microscope on cybersecurity practices within every organization. Boards are now interested in understanding the security status of their organization and the security decisions being made at the highest level. This increased desire requires extended engagement with the board, which has also elevated the CISO's position and visibility within the company.

Today's CISOs report to the board on topics covering cybersecurity risk management, assessment and mitigation plans, high-level strategic overviews, planning and alignment, and regulatory compliance and audit results. This information helps boards understand the organization's overall preparedness and standing relating to the latest regulatory guidance and threats, as well as future planning and alignment with the overall business strategy.

While CISOs agree board engagement is helping to drive positive changes in their cybersecurity strategies, communication and knowledge barriers still exist. Speaking the business language is a skill many CISOs still need to develop to align with their board and succeed in securing additional budgets and resources for their programs. 

Here are a few tips for CISOs to keep in mind when reporting to their board, and ones I've found success with: 

1. Preparation Is Key

Go into these meetings with a high degree of preparation and understanding, with clarity on the numbers. Collaborate with your C-suite ahead of time and ensure alignment on specific strategies — this will help position your initiatives alongside innovation. 

2. Find an Ally

Try to find a sympathetic ear on the board beforehand — someone who wants to lean in and understand cybersecurity a little better. Run your presentation by them in advance to ensure you're delivering the right level of content. 

3. Less Is More

The deck should start with a high-level overview. Understand there is a lot more you want to say, but there's only so much the board will receive. Summarize anything less important so you can call their attention to the items that really matter. Stick all the items that aren't essential in the appendix. 

4. Stay on Topic

Pass out copies of your presentation to each board member before you present — and avoid reading your slides. The slides ultimately become an addendum to the discussion that happens in the room — but it's important you move each discussion along succinctly to ensure there's enough time to cover the most important topics. 

5. Align Your Cybersecurity Objectives With Business Goals

Align your initiatives with business goals and frame them in terms of business value — enabling growth, protecting brand reputation, and preventing financial losses. Many, if not all, board members don't have the cybersecurity expertise or technical background you do, and they won't understand the technology jargon. Up-level your messaging and align it with the key business goals. It's not about what you need to run the department; it's about what they need to run the business. 

6. Communicate in Terms of Risk

Aligning with business goals and communicating risks in financial terms will help you bridge the knowledge gap and further position you as a valuable seat at the table. People understand numbers — focus on the ones that have an impact. Your program is an investment — so what are the results? Are there any areas that need more investment — or less?

7. Include Industry Insights

Include insights into something currently or recently happening at another company in your industry and what it could mean for you. If the same thing happens to you, would the impact be material? That's the question you need to have an answer to. Focus on business and operational resilience, as well as crisis communications preparedness.

With the increased frequency of board reporting, CISOs need to ensure their interactions are brief, productive, and valuable. The CISOs who will succeed in this expanded role are those who can evolve beyond technical acumen to adopt a more business-focused lens and master the art of storytelling.