Why CISOs and Boards Must Speak the Same Language on Cybersecurity

While cybercrime has sat near the top of the board agenda for the past five years, it is arguably the most pressing risk facing organizations in 2025. New global regulations, such as the revised Network and Information Security Directive (NIS2), are putting more pressure on boards and leaders to keep pace with and demonstrate an understanding of cyber risks. At the same time, increasingly sophisticated and pervasive cyber threats, especially those using AI, put organizations at risk of financial, reputational and legal consequences. 

Seeing as many directors still identify cybersecurity as one of the most challenging areas to oversee, clear communication between the chief information security officer (CISO) and board has never been more critical. To do so requires linking cyber risks to financial consequences, leveraging technology to deepen the board’s understanding of regulatory changes and ensuring CISOs have the financial acumen to speak the board’s language.

Linking cyber risks to financial consequences

As cyber threats become more advanced and widespread, it’s critical to not only have a strong risk management strategy in place but to quantify cyber risk in a way that resonates with leadership and the board.

Providing leadership with relevant benchmarking data, including supplier risk scores and credit sentiment scores, helps them be more informed on both the internal and external risk factors they’re faced with. Additionally, tying outcomes such as ransomware or data loss to financial outcomes helps clearly communicate the impact of cyber risk.

Building an effective dialogue on cyber risk calls for CISOs to use accessible, user-friendly language that effectively translates the risks associated with cybersecurity. Quantifying cyber risk using metrics familiar to the board, as well as linking cyber risk to other top priorities on the board’s agenda, is now essential to secure buy-in and resources for effective cybersecurity programs. 

Companies with advanced cybersecurity performance see 372% higher shareholder return compared to their peers with basic cybersecurity performance, according to our research. Government oversight agencies like the SEC and FTC, as well as shareholders, lawyers and judges, think about cyber strategy in terms of operations, fiduciary obligation, revenue and implementation — so it’s crucial for CISOs to be cognizant of this as well.

Cybersecurity

Inside Regulators’ View of ‘Reasonable Security’

by Ryan Smyth and Joe Bruemmer

January 21, 2025

Consent orders and AVCs set standards for testing, training and incident response

Read moreDetails

How CISOs and boards can join forces to tackle regulatory compliance

For CISOs and board members aiming to drive growth and reduce risk, it’s essential to embed regulatory compliance into strategic plans. This approach ensures the organization stays aligned with evolving cyber and data regulations while fostering an environment that supports sustainable growth. 

As regulations evolve, the board’s expertise must adapt accordingly. Directors should leverage tools that highlight regulatory changes, identify areas where their organizations may face compliance risks and outline necessary disclosures to meet both regulatory and shareholder expectations.

Access to accurate, real-time data is crucial for boards and CISOs to navigate changing regulations and make well-informed decisions. As reporting timelines accelerate for cyber incident response, regulations are increasingly holding CISOs personally liable. This shift could impact how CISOs respond in high-pressure situations and may complicate efforts to attract and retain top talent. To tackle regulatory compliance effectively, CISOs require strong support and consistent engagement from company leadership and the board. 

Empowering the board & CISO relationship

With the role of CISOs becoming increasingly critical and more heavily scrutinized, there are many ways for boards to further strengthen this relationship. Given CISOs often lack the same protections as other C-suite executives, it may be worthwhile to reconsider their compensation and protection policies. It shows the board’s commitment to supporting their CISOs and acknowledging the importance and inherent risks of the role as it extends legal protections and provides indemnification coverage through an agreement. 

First, boards should ensure CISOs are covered by the company directors and officers (D&O) insurance policy. This helps protect CISOs from personal liability in the event of any legal challenges related to their cybersecurity responsibilities.

Second, consistent check-ins should also be put in place. The board director responsible for cybersecurity oversight — whether it’s the chair of the audit or risk committee, the lead director, board chairperson or the designated “cyber champion” — should establish regular monthly or quarterly check-ins with the CISO. These proactive meetings ensure ongoing alignment on cybersecurity strategy and risk management.

Third, setting a strong internal tone around cybersecurity and making it a priority at board meetings signals to the entire organization the critical importance of safeguarding sensitive information and managing cyber risks. When the board emphasizes cybersecurity, they reinforce the message that protecting data and systems is a priority, encouraging a culture of vigilance and proactive risk management across all departments.

Finally, amid rising cyber threats, boards must integrate cybersecurity as a mission-critical function across every layer of the organization, beginning with directors’ capacity to fulfill their oversight responsibilities effectively. Beyond protection policies, the board and senior leadership team also need to enroll in education and certification programs around cyber risk to effectively oversee strategy, respond appropriately, and ask insightful questions. 

Boards and CISOs should also consider developing a materiality framework for cybersecurity incidents. By setting clear, agreed-upon criteria for disclosure, both management and the board can preemptively assess the legitimacy of incidents, ensuring a consistent and informed response when they arise.

Organizations can’t afford to wait

Bridging the gap between cybersecurity and business strategy requires linking cyber risks directly to financial outcomes. A task made easier when CISOs have strong financial literacy and boards have strong cyber knowledge. This connection ensures consistent and informed decision-making about the company’s cybersecurity posture. By presenting a holistic view linking the technical stack to the business ecosystem, CISOs and boards have stronger, more informed boardroom discussions.