I have some ideas for you. Shot of a group of businesspeople having a meeting at work.

What Boards Need to Hear from Security Leaders

Caroline Tsay

October 1, 2025

Cybersecurity is not a side note at the end of a board meeting. It’s a core part of business risk, reputation, and compliance. CISOs have become some of the most important people in the boardroom.

The challenge? A CISO typically has only 20-30 minutes to brief board directors. That’s not much time to translate complex technical realities into clear, actionable insights. Boards want to understand where the company is exposed, how those risks are being managed, and whether the leader in front of them inspires trust.

Start with Who You Are

Any good relationship begins with trust. For a board, that means knowing the CISO’s values, approach, and perspective on risk. Directors want to work with a security leader who demonstrates high integrity, ethical standards, and honest communication.

Sharing “what keeps you up at night” can be a powerful way to set the tone, as long as it’s framed in business terms. Instead of walking through the mechanics of a ransomware exploit, you might say: “The risk I’m most concerned about right now is a targeted attack on our manufacturing systems. It could halt production for days and cost millions.”

This kind of framing tells the board you understand the stakes and think like a business leader, not just a security expert.

Be Honest About Security Posture

Boards want a clear picture of the company’s strengths and weaknesses. Maturity models, such as NIST or ISO 27001, can help, but the language needs to be clear and tied to critical assets: where we’re strong, where we’re exposed, how we compare to our peers, and what residual risks remain.

Including third-party and vendor security in the conversation is key. A company can have significant internal oversight, yet still be exposed through its supply chain. As one CISO I have spoken with noted, “The greatest number of incidents per year comes from vendor-side incidents.”

Explain What’s Changed

Directors don’t want every operational detail, but they do want to know what’s different since your last update. This includes:

Major incidents you’ve addressed
Breaches in the industry that might be relevant
New threats like AI-driven attacks or geopolitical disruptions

By connecting these developments to your own risk profile, you help the board think proactively rather than reactively.

Show Readiness for the “When, Not If” Scenario

Boards know that incidents are inevitable. What they need to hear is that the company can respond effectively and recover quickly. Walk them through your incident response plan, crisis communications process, and any tabletop exercises you’ve run.

Recovery time targets make this real. For example: “If our systems were wiped tomorrow, it would take 72 hours to restore critical operations. Our target is 48 hours, and we have a plan to close that gap.”

Talk About Resources and Value

Cybersecurity budgets often don’t receive in-depth discussion in the boardroom, but they should. Address whether current funding aligns with the company’s risk profile, how it’s allocated, and where gaps exist. Cyber insurance is also part of this conversation: Is coverage adequate, and does it account for emerging risks?

Proactively raising these questions demonstrates to the board that you’re thinking about business value, not just spending. As security leaders consistently note, “What is the impact on our business?” is one of the most frequently asked questions from boards.

Focus Metrics on Business Impact

The most effective board-level metrics are simple, consistent, and tied to resilience. A small set of KPIs, such as recovery time, the percentage of critical systems under governance control, and residual risk after controls, can be enough to tell the story without overwhelming directors with data.

Always frame them in terms that connect to business outcomes. Remember, you’re translating technical details into business-relevant language for board members who may not be familiar with the intricacies of your security tools.

Don’t Forget Culture

Technology and controls are essential, but culture is what turns security into a shared responsibility. Boards want to know how you’re embedding security into product development, HR, legal, and finance, and how employees are being trained to spot and respond to threats. A healthy culture makes security a shared responsibility, not just the CISO’s responsibility.

What Directors Need to Provide

Everyone within the company is impacted by cybersecurity, including the board of directors. Yet too often, it’s just one person on the board asking questions or following up for more information.

The company’s overall cybersecurity program will be better served if every director took a greater interest in areas like:

Security budget allocation and spending
How security initiatives align with business objectives
Whether the CISO has the authority and resources needed to succeed

Why This Matters

Board-level cybersecurity conversations aren’t about showing technical depth. They are about enabling good governance. A CISO who can frame risks in business terms, speak candidly about posture and readiness, and link investments to resilience gives the board exactly what it needs to fulfill its duty.

When these conversations are done well, they don’t just check a compliance box. They strengthen the relationship between the CISO and the board, build alignment across the organization, and ultimately make the company more resilient in the face of whatever comes next.

Boards understand that no company can be protected from everything – 100% certainty is impossible. But in the end, boards want to know that CISOs and their teams are doing their jobs well, thinking strategically about risk, and prepared to protect what matters most to the business.

Caroline Tsay is a technology board member and CEO with extensive experience in cybersecurity leadership.