How CISOs Build Trust in the Boardroom
In my last post, I focused on what Audit Committees expect from security leaders. This one is about how CISOs earn trust by framing the message in business terms and sharing it in ways that keep directors informed between meetings. But building that trust isn’t straightforward. From serving on Audit Committees, I see how CISOs must navigate diverse board member backgrounds, limited time, multiple information sources, and organizational dynamics that can make full transparency complicated.
Know Your Audience and Tailor the Format
Every board is different. One security leader I spoke with recently put it bluntly: the first six months with a new board “feels like a long interview.” This insight came from a Security Impact Circle workshop in Palo Alto, where CISOs candidly discussed board dynamics, and their experiences echo what I see in audit committees. They’re deciding if you’re the right leader.
Start by learning who’s in the room: technical depth, risk appetites, and hot-button interests vary. Several of these leaders shared that they curate content accordingly—fraud and bot mitigation for one board, software supply chain for another—while anchoring everything to a standard, credible framework (e.g., NIST CSF or CIS) with a clear note on how it’s been tailored for your industry.
From my experience on several boards, what signals that a CISO “gets it” early on is composure and clarity. The best first impressions come from security leaders who frame their role as part of the business and not separate from it. When a CISO starts conversations with risk, resilience, and tradeoffs, it tells me they understand how their function connects to growth, operations, and brand trust.
Use “No-Surprises” Touchpoints
Trust is built between meetings. One team held a separate deep-dive each quarter with the board’s most technical director; by the time the Audit Committee met, everyone knew what he’d ask and the conversation moved faster. Others use pre-reads and offer ad hoc 1:1s to address detailed questions early. If you want to change your deck format, preview the “old vs. new” views in the same packet and invite feedback. Directors appreciate the heads-up.
“No surprises” sounds simple, but in practice it’s hard. Directors sit on multiple boards and what works in one boardroom can feel like it isn’t in another. From my perspective, the best CISOs use short, structured updates between meetings, such as an email summary after a tabletop exercise, a quick note on a new regulation, or a heads-up before a disclosure event.
Lead with Context, Not Dashboards
Boards don’t want a wall of metrics. They want the story: what changed since last quarter and why it matters. A CISO I spoke with described shifting away from “everything is up and to the right” maturity slides after their board experienced a disconnect where progress slides one month, and there is an incident the next. The fix is to pair concise maturity reporting with situational awareness (e.g., “our exposure and actions from a vendor breach”) and assurance evidence (red-team findings, remediation owners, timelines). That mix shows diligence, not just scoring.
One CISO I worked with initially reported individual issues across each regional operating partner. Over time, the team built a consolidated view showing how each partner benchmarked against shared standards and where improvements were needed. That shift from fragmented updates to a unified benchmark helped the Audit Committee understand progress at a glance and gave the CISO more credibility in steering the program.
Show Progress Without False Precision
Security is a moving target. One leader noted the paradox: you may “discover more rocks” and lower a maturity score while actually improving posture. Their solution is to version the risk model (similar to software) to show forward motion and fresh discovery: “versus last quarter’s baseline, we improved; in the updated model with new risks, here’s today’s score.”
Regarding quantification, several teams tested FAIR or dollarized loss scenarios and found ranges to be highly variable across firms, which is useful for insurance discussions but less so for precise decision-making. I’ve also found that many of the numbers used in quantification exercises can seem arbitrary. It’s rarely clear what probabilities underpin them or how consistently they’re applied. As a board member, when I see a single, precise figure, especially one tied to breach likelihood or expected loss, I immediately want to understand the assumptions behind it.
At one company, I’ve seen FAIR used effectively, but invariably, it involves a lot of detail and ends up in the appendix rather than the main discussion. The insight is helpful for context, but what matters to the committee most is still the narrative: how exposure is changing, where residual risks sit, and how management is addressing them.
Align Assurance Functions
Consistency builds confidence. One CISO shared how their company aligned projects and work efforts across Enterprise Risk, Compliance, Internal Audit, and Security, so all functions are driving toward the same priorities and using shared data where possible. When those groups coordinate assessments and communicate through a common lens of risk, the Audit Committee doesn’t have to reconcile competing views or duplicate efforts. It sends a powerful signal that the company’s risk oversight ecosystem is integrated and mature.
When Internal Audit and Security aren’t aligned, directors worry the company’s control environment may be fragmented and efforts are misplaced. When it comes time to prioritize audits and projects each year, I ask the teams to ensure their resources are aligned and any learnings are shared.
Translate Technical Risk into Business Risk
Make the business stakes explicit. One CISO borrowed a familiar go-to-market idea – “marketing-influenced revenue” – to quantify security-influenced revenue (deals closed because you met customer security requirements). Others map risks to business initiatives: in a payments or availability-critical business, a one-hour outage could mean tens of millions in impact; in other models, data trust is the existential risk. The point is to tie each top risk to revenue, customers, operations, or brand and not to tool telemetry.
The biggest frustration I have as a board member is when a presentation swings too far in either direction, so technical that it feels opaque, or so simplified that it lacks credibility. The sweet spot is specificity with context: “Here’s the exposure, here’s how we’re mitigating it, and here’s why that matters to our customers or investors.”
Bring Outside Voices Judiciously
Independent advisors or benchmarks can lift trust and educate the committee on the questions they should be asking. One team engaged a seasoned external cyber advisor on an ongoing basis (not just a one-off), pairing that guidance with internal evidence (tests, fixes, timelines) to avoid outsourcing the message.
Outside perspectives can add credibility, but they can also create noise. On my boards, third-party benchmarks like Security Scorecard or Big Four assessments are useful when they corroborate management’s story and not when they introduce conflicting methodologies. The CISO should own the narrative, using outside data as reinforcement, not replacement.
Bottom Line
Boards don’t need more detail. They need clear framing and thoughtful sharing. Know your directors, avoid surprises, align priorities across assurance functions, and connect every risk to business outcomes and residual exposure. That’s how CISOs move from “security expert” to trusted business leader in the boardroom.
From the board side, we can help by asking better questions and by resisting the instinct to compare one company’s cybersecurity posture to others without context. Every organization’s risk surface is unique. Audit Committees should also devote enough time for security discussions to move beyond compliance checks into strategy. That’s where the most productive dialogue happens: when the CISO and the board are thinking together about resilience, not just reporting on it.
Up Next
In the next post, I’ll turn to the reality of preparation. Even the most experienced CISOs describe board prep as time-intensive and sometimes frustrating. We’ll look at what makes Audit Committee and Board prep hard and how better tools, data, and collaboration can make it easier, more consistent, and ultimately more strategic.
