Two Sides of the Same Boardroom

Why CISOs and Boards Still Can’t Agree on Whether the Security Program Is Working

Here’s a scene that plays out in boardrooms everywhere, four times a year, like clockwork.

The CISO walks in with thirty slides, fifteen minutes on the audit committee agenda, and a carefully calibrated message about residual risk, maturity benchmarks, and initiative progress. The board listens politely. A few members nod. Someone asks whether the company is “safe.” The CISO deflects with nuance. The conversation moves to the next agenda item.

Both sides leave thinking the same thing: that didn’t land.

It’s not a competence problem. It’s a language problem. And according to a growing body of evidence, including new research being conducted at RSAC 2026 by Pulse Security AI, the gap between what CISOs communicate and what boards actually absorb may be wider than either side realizes.

The Translation Problem Nobody Solved

The cybersecurity industry has spent two decades perfecting detection, response, and recovery. What it hasn’t built is a shared language between the people running security programs and the people responsible for governing them. This challenge is a core theme of the Security Impact Circle, an invitation-only community of CISOs and senior security leaders who gather to share candid, peer-driven insights on the real challenges of security leadership.

“The issue isn’t that CISOs lack business acumen,” says Mike Armistead, CEO of Pulse Security AI. Armistead, who has spent the past several months hosting intimate dinners with security leaders through the Security Impact Circle, continues: “It’s that the entire framework for communicating security value was designed by technologists, for technologists. We’re asking CISOs to translate the SOC into boardroom strategy in real time—and then wondering why the message gets lost.”

That frustration surfaced repeatedly in Security Impact Circle conversations over the past year. CISOs described a recurring tension: boards want a clear yes-or-no on whether the company is protected, while CISOs know the honest answer is always “it depends.” One security leader put it bluntly during a recent dinner: the first six months of any board relationship feel like a prolonged job interview, where credibility is built through consistency—not a single presentation.

The disconnect runs deeper than style. CISOs talk about maturity frameworks, NIST alignment, and risk reduction. Board members think in terms of liability exposure, regulatory compliance, and capital allocation. Same meeting. Different dictionaries.

Early signals from our ongoing work suggest this misalignment may be measurable, and potentially larger than most leaders realize.

What the Board Side Sees

Caroline Tsay brings a perspective most security conversations don’t have: she sits on the other side of the table. A board member and audit committee participant across three public companies, Tsay has watched dozens of CISO presentations. Her observation cuts to the core of the problem.

“Board members aren’t looking for a security education,” Tsay says. “They’re looking for confidence—confidence that the CISO has the right resources, the right priorities, and the ability to be transparent about what’s working and what isn’t. The format matters less than the trust.”

That trust, Tsay notes, is built between meetings, not during them. The CISOs who succeed at board communication have cultivated relationships with individual board members, proactively flagged issues before they became surprises, and understood that a board’s appetite for security detail varies enormously depending on who’s in the room.

And here’s the wrinkle that makes this more than a soft-skills challenge: SEC disclosure rules have raised the stakes for everyone. Boards now carry real liability for cybersecurity oversight. Directors who lack technical backgrounds are being asked to govern programs they can’t fully evaluate. CISOs who carry personal liability for what they present are trying to give honest assessments that may not always align with executive optimism.

Both sides are operating under pressure. Neither side has the tools to bridge the gap.

Early indications from Security Impact Circle conversations suggest the gap could be significant: as much as 30-40 points on key metrics of confidence and alignment. If the data supports that, it would represent one of the clearest signals yet that the industry needs a fundamentally different approach to how security programs communicate their value.

“Every CISO I talk to feels this in their gut,” Armistead says. “They know the board doesn’t fully understand their program. But right now, that’s an anecdote. We want to turn it into data.”

The industry has debated the CISO-board disconnect for years, but debate alone hasn’t closed the gap.

It’s time to move from anecdotes and frustration to hard numbers—and we can only do that together. Your experience walking out of that boardroom meeting, unsure if the message landed? It matters. It shapes the data that will finally quantify this misalignment and guide real solutions.  

Take the survey. Your anonymous input will help turn gut feelings into evidence that drives better communication, stronger trust, and more effective security governance. 

Join the conversation: Connect with the Security Impact Circle at securityimpactcircle.org.