Board members worldwide are turning their attention toward the cyber risk landscape and questioning the extent to which it might impact their organization’s value. Their rising concern is well-warranted, given the escalating cost of cyber incidents, both in the long and short term. The relatively recent uptick in governmental pressure, too, has demanded that these executives invest more of their time into overseeing cyber risk.
As this market reorientation unfolds, boards have started to engage more frequently with cybersecurity leaders, hoping the experts can provide the data necessary for assessing and responding to cyber threats at a strategic level. Unfortunately, the information board members receive often falls short, ending up dismissed as too technical or disconnected from business priorities.
This misalignment has compelled a growing number of chief information security officers (CISOs) to rethink how they communicate with the board, increasingly understanding that their effectiveness lies not in the technical depths of their work but in how well they can convey the broader implications of the organization’s cyber exposure and their corresponding plans for risk mitigation.
Traditional Cyber Metrics Miss the Mark
Benjamin Corll, CISO in Residence at ZScaler, has experienced firsthand how traditional metrics will fail to convey cyber risk in a manner that the board can fully grasp. “They don’t want to see phishing click rates or awareness training percentages…and they don’t care about the 33 million firewall blocks,” says Corll. “[Boards] only want to know the things that have a business impact.”
Royce Markos, CISO at Vistrada, after meeting with the board, reached a conclusion consistent with Corll’s. “Early on, I presented highly technical metrics…but they didn’t resonate with the board because they didn’t tie directly to business impact.” Subsequently, he changed tactics and began linking security efforts to tangible outcomes, showing how patching vulnerabilities, for instance, reduced the likelihood of a costly breach.
Creating a Business-Oriented Narrative
That critical shift, from detailing technical activities and achievements to communicating concrete business relevance, has become increasingly central to how many cybersecurity leaders now approach the board.
Jessica Nemmers, for instance, Field CISO at Flair Data Systems, refers to items captured on the cyber risk register and the status of their remediation. “Tracking risk reduction or increase over time is important,” she explains, “because it provides the board with a dynamic view of how the organization’s cyber risk posture is evolving.”
Douglas Brush, Interim CISO and Court-Appointed Neutral, has similarly found that this strategic reframing encompasses speaking in financial terms. “When board members are confused or getting bogged down by some technical aspect, that’s when I say, ‘Okay, let’s stop talking about risk and start talking about money.” The result is a conversation rooted not in the cyber abstract but in real-world consequences.
Sue Bergamo, CISO at BTE Partners, makes a point to underscore the importance of filtering out operational noise. “The best advice here is to not go into too many details and to stick with high-level metrics… focused on impacts on revenue or brand reputation.” Ultimately, security reporting should echo the language of business units and not the backend of the cybersecurity GRC stack.
Meeting the Board’s Expectations
After shifting their communication style, the next move for cybersecurity leaders is to anticipate the questions that matter most to the board. According to Wai Kit Cheah, CISO for Asia Pacific at Lumen Technologies, their priorities are pretty consistent. “Board members commonly want to understand their [organization’s] overall risk profile…[asking things such as] ‘What are our biggest cybersecurity risks and how are we addressing them?’”
Markos adds that directors often want to know how prepared the organization is to respond if something goes wrong. “They want to understand the scope and potential impact of a major cyber incident on the business,” he explains, “as well as the organization’s resilience and expected recovery time.”
Bergamo, this time, puts it even more bluntly: “[In the boardroom], the CISO should focus the metrics on anything that impacts revenue, fraudulent activities, or brand reputation – that’s it.” In her view, the board of directors will focus on gaining an understanding of the materialized business significance of cyber risk, and there’s no need to present more. If they want additional details, they will ask for them beforehand.
Harnessing Cyber Risk Quantification to Bridge the Gap
Board-level expectations for understanding cyber exposure are shifting, with a growing demand for clearer, business-focused information. On-demand cyber risk quantification (CRQ) helps CISOs deliver such insights, offering a data-driven, palpable view of an organization’s likelihood of experiencing cyber attacks and the respective impact of said incidents.
Unlike antiquated cyber risk assessments, on-demand CRQ automatically incorporates external and internal intelligence to evaluate the business’s cyber posture and translate the ensuing outcomes into financial terms. Instead of learning that the cyber program has reached a state of 75% maturity, for instance, board members will know that they face a 27% chance of experiencing a ransomware event that could lead to $54 million of damage. This level of specificity transforms the abstract into the tangible, allowing for increased confidence around investment and prioritization decisions.
CRQ also supports consistency across reporting cycles, aiding boards in understanding how cyber risk has fluctuated over time and whether mitigation strategies are working. With cyber vulnerability transformed into a familiar, broader business language, directors can more easily govern it in tandem with other core business risks.
Making Cyber Risk Insights Actionable
Above all, the cybersecurity data the board receives has to facilitate, not hinder, governance discussions. These high-level stakeholders don’t need every metric, regardless of how impressive it may sound. Rather, they need to know how cyber threats can affect revenue and operations. When CISOs translate the organization’s exposure into these more strategic terms, they enable the board to make smarter decisions, paving the way toward a state of resilience.
__
Yakir Golan is the CEO and co-founder of Kovrr. He started his career in the Israeli intelligence forces. Following his military service, he acquired multidisciplinary experience in software and hardware design, development and product management. For the past few years, he has focused on bringing cyber risk management solutions based on advanced machine learning and artificial intelligence to the market. Yakir holds a BSc in Electrical Engineering from the Technion, Israel Institute of Technology and an MBA from IE Business School, Madrid, Spain.
