How board members think about cyber risk and what CISOs should tell them

In this Help Net Security video, Jonathan Trull, EVP & CISO at Qualys, discusses which cybersecurity metrics matter most to a board of directors. Drawing on more than two decades in the field, he explains how boards think about their duty to oversee risk and how CISOs can present information in a way that supports that duty.

Jonathan outlines why boards want to understand risk appetite, how loss scenarios shape those discussions, and why no single metric can answer every question. He describes how signals from identity systems, infrastructure, cloud resources, and application security tools can be brought together to form a risk index for the organization. He then explains how to translate that index into meaningful probabilities board members can use to judge business impact.

The video ends with guidance on diagnosing why risk might be above appetite levels and how those insights help guide strategy and future budgets.