Navigating Cybersecurity Communication: Bridging the Gap Between CISOs and Corporate Boards
Recently, a significant gathering of security leaders from various sectors took place in National Harbor, Maryland. The objective was to confront a complex challenge that is frequently viewed as more formidable than threats posed by nation-state hackers or AI-driven cyber risks: effectively communicating cybersecurity issues to a company’s board members. This communication aims to ensure that board members fully grasp and appreciate the substantial cybersecurity risks their organizations face.
During the session at the Gartner Security and Risk Management Summit 2026, Sam Olyaei, a managing vice president at Gartner, posed an engaging question to the attendees: "How many of you get excited when your annual car insurance premiums come up for renewal?" This metaphor was designed to encapsulate the board’s often transactional perspective on cybersecurity, likening it to an obligatory regulatory checkbox that needs to be validated. Olyaei, alongside Gartner analyst Tom Scholtz, reflected on how the landscape has evolved over the last decade. Just ten years prior, only 25% of Chief Information Security Officers (CISOs) were tasked with presenting to their boards. However, a survey conducted during the session revealed that almost all attendees now find themselves in this position.
The increasing frequency of high-profile data breaches has shifted the board’s sentiment regarding cybersecurity presentations. According to Gartner, an impressive 93% of board members now recognize that cyber risks pose a threat to shareholder value, with 98% anticipating that these threats will escalate over the next two years. Nevertheless, a significant challenge remains: Boards do not often prioritize the same issues as CISOs and typically do not communicate in the same language.
Understanding the Audience
CISOs at the summit expressed their struggle to translate an abundance of technical operational data into narratives that resonate with their boards. This difficulty is rooted in a prevalent disconnect, as highlighted by the Gartner analysts. Scholtz noted, "Many of the reports that I review are actually structured around cybersecurity, not around the business." He further elaborated on the importance of keeping the audience’s perspective in mind: "When we speak in cybersecurity terminology, we may become overly enthusiastic about complex issues. However, as my wife says, ‘Normal people don’t get excited about that stuff.’"
Olyaei echoed this sentiment, urging CISOs to align their messaging with what board members can easily digest. Otherwise, critical points may evaporate in translation, leading to missed opportunities for effective engagement.
Adapting Financial Reporting Methods
To enhance the efficacy of their communication, the Gartner analysts advised CISOs to adopt frameworks similar to monthly or quarterly financial reports when creating cybersecurity board reports. Finance serves as the lingua franca of corporate governance; thus, a cybersecurity report crafted in that structure is likely to resonate more intuitively with directors.
Olyaei and Scholtz proposed that a cybersecurity performance report could follow several standard financial reporting formats:
-
Balance Sheet: This section would reflect the current state of the cybersecurity program, presenting a snapshot that includes heat maps and other visual aids to illustrate top cyber risks and potential financial impacts. The program’s status could involve execution against the approved strategy roadmap, as well as updates regarding projects—whether started, completed, or overdue.
-
Income Statement: Similar to an income statement revealing macro-level changes in business performance, this segment of a cybersecurity report could indicate expected financial losses or gains due to various factors, including automation, evolving processes, and external regulatory trends.
-
Cash Flow Statement: This part would articulate cybersecurity resource allocations over a specific timeframe, mirroring a cash flow statement’s purpose. It could provide visibility into expenditures categorized by staffing, services, software, and hardware resources. Key metrics may include the number of full-time security personnel or the proportion of IT budgets allocated to cybersecurity.
- Narrative and Notes: Finally, a narrative section would allow the CISO to encapsulate findings, offer additional context, introduce new issues, and make specific requests from the board.
Positioning as Business Leaders
The analysts from Gartner informed CISOs that their time to brief the board is limited—often only five to ten minutes. Thus, they should carefully determine a stable set of indicators and metrics that can consistently appear across their reports. Each data point should serve a narrative that fits within its respective section, thereby ensuring that the board comprehends the full significance of the information presented.
To assess the effectiveness of this new reporting structure, CISOs are encouraged to circulate the framework among key leadership stakeholders and obtain their feedback. Scholtz indicated that successful reporting should:
- Generate constructive feedback from the board.
- Provide the necessary information for the board to effectively oversee cybersecurity operations.
- Minimize the occurrence of awkward or irrelevant questions from board members.
- Enhance support for cybersecurity investment and governance proposals.
As Olyaei pointed out, there’s an inherent challenge in how CISOs are often perceived—primarily as technical experts rather than business leaders. Implementing this new communication framework could help elevate the CISO position within the organization, allowing them to be viewed as integral contributors to business leadership, rather than merely technical practitioners.
In a world increasingly vulnerable to cyber threats, the ability to effectively communicate cybersecurity risks and strategies to a company’s board is not just beneficial—it is essential for fostering a culture of security within organizations. The conference provided valuable insights into overcoming communication barriers, ultimately equipping CISOs to play a pivotal role in safeguarding their organizations in an ever-evolving threat landscape.