What Boards Really Need From Security Leaders
A board meeting is not a place to prove how much you know. It is a place to help people decide.
Boards do not need another ninety-slide security deck. I have sat through enough of them to know what happens. The first twenty slides exhaust everyone, the real question never gets asked, and the directors leave less confident than when they arrived. What a board needs is simpler and much harder to produce. They need a clear view of exposure, options, cost, and consequence.
Translate, do not transmit
The most common mistake security leaders make in the boardroom is transmitting raw information. Vulnerability counts, maturity scores, threat feed summaries. That data is real, but it is the input to your job, not the output. A director does not need to know how many critical vulnerabilities you have. They need to know what could plausibly hurt the company, how likely it is, what it would cost to reduce, and what you recommend. Do the interpretation for them. That is the value you add.
Four things a board can actually act on
- Exposure. In plain terms, what are the few scenarios that could materially damage this organization?
- Likelihood and trend. Are we getting safer or riskier, and why?
- Options and cost. What are the realistic choices, and what does each one buy us?
- Recommendation. Given all of that, what would you do, and what do you need from this board to do it?
If your reporting answers those four things, you can lose eighty slides and gain a board that trusts you.
Speak in consequences, not acronyms
Acronyms are a comfort blanket. They make us feel precise and they make directors feel lost. When I coach security leaders, I tell them to describe risk the way they would describe it to a smart relative who does not work in technology. Not because directors are not smart. Because their job is to weigh this risk against a dozen others, and they can only do that if it is stated in terms they can compare.
The best security leaders make a board feel informed, not impressed. Those are different goals, and only one of them helps the company.
Bring bad news early and plainly
Trust with a board is built on how you handle the uncomfortable conversations. If something is wrong, say it early, say it clearly, and bring options rather than just alarm. Directors have a long memory for the leader who downplayed a problem that later got worse. They have an even longer memory for the one who told them the truth when it was inconvenient and was right.
Tie security to the business, every time
A board's job is fiduciary. Frame security where it lives for them, next to revenue, reputation, regulation, and resilience. When you connect your program to those, security stops being a cost center they tolerate and becomes a risk function they rely on. That shift is mostly about language and framing, which is exactly why so many technically excellent leaders never make it. If your program itself is struggling underneath, start with why most cybersecurity programs fail.
FAQ
What should a CISO present to the board?
Focus on four things in plain language: the organization's real exposure, whether risk is trending up or down, the available options and their cost, and a clear recommendation. Skip raw tool output and acronyms.
My Journey From CTO to CIO to COO
Each title taught me the same lesson from a different angle: technology is never just technology.
Building Trust in Artificial Intelligence
Trust in AI will not come from a values statement. It comes from how you operate when something goes wrong.
AI in Healthcare: Promise vs Reality
Healthcare AI has enormous promise. Promise is not a deployment plan.