How CISOs can talk cybersecurity so it makes sense to executives
CISOs know cyber risk is business risk. Boards don’t always see it that way.
For years, CISOs have struggled to get boards to understand security beyond buzzwords. Many feel they’re either ignored or misunderstood. But with threats growing and regulations tightening, that’s changing. Boards now expect CISOs to speak their language: risk, dollars, impact.
Here’s how security leaders can get through, with real-world tips on making cybersecurity resonate in the boardroom.
Translate risk into dollars
The board isn’t full of technologists. Most members come from finance, legal, or operations. They think in terms of business performance, liability, and shareholder value.
So, don’t show up with threat feeds or patch stats. Focus on what matters to them. For example:
- How a ransomware attack could halt revenue for a week
- How failing an audit might impact customer trust
- How a breach could trigger regulatory fines
When speaking to the board, cybersecurity leaders need to shift from technical jargon to the language of risk and finance. “Boards think in terms of probability and financial impact, not technical jargon,” says James Turgal, VP of global cyber risk and board relations at Optiv.
To make cyber risk resonate, Turgal uses risk quantification models such as FAIR, the Factor Analysis of Information Risk. These models allow CISOs to express threats in terms boards understand. “I start by estimating three things: how often something bad might happen, how much it could cost, and what the business impact could be in terms of brand, sales, or market share,” he explains.
Rather than talking about malware variants or attack vectors, Turgal presents scenarios such as: “The risk of a ransomware attack this year is 5 percent, and if it happens, the average loss would be $4.5 million.” He also ties cyber risk to concrete business outcomes. For example, he might show how a breach of a customer portal could reduce revenue by 8 percent in a quarter due to service disruption and customer attrition.
“Every CFO knows the daily financial number for lost operations due to system downtime,” Turgal notes. “The CISO just has to do the math.”
Turgal also recommends aligning cyber risk with financial metrics boards already use, such as value at risk. “If we don’t upgrade our cloud security controls, we expect an annualized loss exposure of $1.2 million,” he might say. This helps translate technical decisions into bottom-line consequences that boards can weigh and act on.
Focus on trends, use plain language
Boards don’t need every threat alert. But they do want to know if things are getting better or worse. Show them progress over time. For example:
- A quarterly trend of phishing attempts and response times
- Metrics showing employee click rates on simulated attacks
- A scorecard comparing current risk levels to last quarter
Highlight the outliers. What’s getting worse? What’s under control? Be transparent about gaps, and what you’re doing to close them.
Avoid jargon. Say “criminals broke in” instead of “unauthorized access.” Say “they encrypted our files and asked for money” instead of “ransomware event.” Then, back it up with simple visuals. Pie charts or risk heat maps are much more effective than spreadsheets full of numbers.
Keep updates short. Board meetings are tight. Don’t drown them in detail. Aim for a five-minute update with clear takeaways: What’s changed? What are the risks? What do you recommend?
“With complex technical topics and evolving threats to cover, the typical brief time slot often proves inadequate for meaningful dialogue. Security leaders can address this by preparing concise, business-focused briefing materials in advance and prioritizing the most critical issues for discussion. When time constraints persist, they should advocate for dedicated sessions to ensure proper oversight of cybersecurity matters,” said Ross Young, CISO in residence at Team8.
Tie security to business goals
To align cybersecurity with business goals, CISOs must understand the company’s core mission and identify where security intersects with that mission “An example of this is creating a talk track on how cybersecurity protects revenue and growth,” said Turgal. When trust is compromised, the consequences are immediate: impacting sales, brand loyalty, and ultimately, market share.
According to Turgal, this alignment often comes down to tying specific security initiatives to the company’s strategic objectives. For example, if a business is expanding into international markets, CISOs can support that goal by obtaining cybersecurity certifications such as ISO 27001 or aligning with GDPR privacy frameworks. These not only reduce risk but also help establish credibility in new regions.
When communicating with the board of directors, Turgal advises mapping cybersecurity initiatives to shareholder value. “If the business goal is to protect shareholder value, there is a direct connection to business continuity and increased operational uptime.” To support that, security leaders might increase cyber resilience through containerized immutable backups, disaster recovery and incident response plans—tools that can mitigate brand-damaging attacks and prevent stock price volatility.
Compliance is another area where security and business strategy intersect. “If the business goal is to maintain compliance and avoid or reduce fines, the cybersecurity tie-in would be to invest in and implement compliance automation applications and security controls,” Turgal explained. These measures ensure alignment with regulations like PCI-DSS, SOX, or HIPAA, depending on the organization’s industry.
Anticipate board questions
Before every meeting, ask yourself:
- What risks will they care about most right now?
- Are there headlines they’ll ask me about?
- What decisions do I need from them?
Frame your updates with these in mind. And practice answering questions like:
- Are we doing enough?
- How do we compare to peers?
- Could this happen to us?
Don’t be afraid to say “I don’t know,” but always follow up with, “I’ll find out and get back to you.”
After every board meeting, follow up with a written summary: what you presented, what feedback you got, and any decisions made. This builds accountability and shows professionalism. It also helps when priorities shift or budgets get cut. You’ll have a record of what was agreed, and why it matters.
Build relationships outside the boardroom
Some of the most productive conversations don’t happen in meetings. They happen over coffee, or on calls with individual board members.
If possible, schedule one-on-ones with directors to walk them through key risks. Ask what they want to know more about. Find out how they prefer to receive information.
By building rapport outside the meeting, you’ll face fewer surprises inside it.
Your strongest allies in the boardroom are often the CFO and legal chief. They understand risk and liability, and they speak the board’s language.
Work with them to shape your message. Ask them to pressure-test your data and help refine the financial impact of risks. If they’re on your side, your message will carry more weight.
CISOs with healthy board relationships tend to have better collaboration throughout the organization. They are also more likely to be given the ability to pursue use cases for generative AI, such as creating threat detection rules, analyzing data sources, incident response and forensic investigations, and proactive threat hunting, according to recent Splunk research.