“It’s only when you report to someone not involved in technology that you realize you’re talking in jargon or not close to talking the language of the business,” says Bennett.
Decoding what the board wants from security leaders: Cybersecurity leaders need regular contact with boards to foster familiarity and understanding. Without this, a lack of clarity can lead to either oversharing technical details or not providing enough strategic context.Paul Connelly, former CISO turned board advisor, independent director and mentor, finds many CISOs focus too heavily on metrics while the board is looking for more strategic insights. The board doesn’t need to know the results of your phishing test, says Connelly. Boards are focused on risks the organization faces, strategies to address these risks, progress updates, obstacles to success, and whether they’re tackling the right things.”I coach CISOs to study their board, read their bios, understand their background, and understand the fiduciary responsibility of a board,” he says. The goal is to understand the make-up of the board and their priorities and channel their metrics into risk and threat analysis for the business.Using this information, CISOs can develop a story about their program aligned with the business. “That high-level story, supported by measurements, is what boards want to hear, not a bunch of metrics on malicious emails and critical patches or scary Chicken Little-type of threats,” Connelly tells CSO.However, it’s not a one-way interaction, yet many CISOs are engaging with boards that lack the appropriate skills and understanding to foster meaningful discussions on cyber threats. “Very few boards have any directors with true expertise in technology or cyber,” says Connelly. Only 5% of companies have cybersecurity experts on their boards, according to a 2024 Diligent Institute report, suggesting that the majority of boards struggle with cybersecurity oversight.Although technology is integral to innovation and growth, and the associated risks are among the biggest and most-complicated most companies face, many boards don’t have the skills to tackle the topic. “They’re rubber-stamping what management presents or asking the top five canned questions they read in an article from McKinsey, but not able to probe any further into the answers they get,” Connelly says.He suggests CISOs include brief training videos, conduct board tabletop exercises, or include additional educational materials in their quarterly board book. “Anything that will help fill the gap in expertise.”
Getting beyond the Yes or No questions and the disconnect between board and cybersecurity: There’s a significant disconnect between CISOs views of cybersecurity priorities and their boards across a range of areas. According to the Splunk CISO report, CISOs are more likely to think depth of knowledge is an important skill, while boards want CISOs to be better at communicating and have higher business acumen. Furthermore, boards are more likely than CISOs to insist on validation testing for existing cybersecurity controls and think compliance is indicative of success.This gap in cyber understanding can leave directors poorly equipped to get the most out of CISOs and their expertise.”You need to appreciate that some board members will be very interested in cybersecurity and some won’t be. Sometimes you have to pitch the report to the whole gamut of board members, some want infinite detail, while others just want to hear: ‘Is everything okay, yes or no?” says Bennett.To move beyond ‘yes’ and ‘no’ questions and provide the board with valuable contextual insights and strategic guidance, CISOs need more than check-the-box exercises. Bennett has found that drawing on additional information sources is an effective way to unpack real-world risks and implications for the business. “I won’t just say: ‘These are the risks’. I’ll provide some context to help them understand things more deeply,” says Bennett.News articles about security incidents can be linked to security controls, how the budget is being applied and what that means for the organization’s risk level and response times if facing the same kind of threat. “Instead of just giving figures, I’ll show them how our investment worked. For example, how we went from potentially taking five team members three days to resolve an incident, to resolving it in four hours with complete visibility,” he says.Finding opportunities to engage with board members outside of formal meetings is another powerful way for CISOs to improve their exchanges with board members.Whether it’s through committees or ad-hoc one-on-one meetings, these engagements help develop the rapport with board members, according to the IANS 2025 State of the CISO report.Connelly believes it’s another important factor in a successful working relationship between the CISO and the board. During his time as a CISO, he was invited to board dinners and really got to know the audit committee members. “That level of access and comfort facilitated good discussions where board members were comfortable asking questions,” he says.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3953098/what-boards-want-and-dont-want-to-hear-from-cybersecurity-leaders.html
