As the cost and frequency of cyber events grow, technologies evolve, and regulatory bodies enact stricter cybersecurity laws on the market, it’s become exceedingly clear that elevating cyber matters to the boardroom is a strategic imperative. In 2021, Gartner reported that 88% of board members already recognized cyber risk as a significant business risk, a figure which has no doubt risen even further in the wake of the US SEC cyber regulations, NIS 2, DORA, and the catastrophic 2024 CrowdStrike outage.
But with cybersecurity now a board-level priority, many stakeholders have simultaneously become overwhelmed by abstruse cyber concepts. Although learning more about the organization’s cyber exposure is generally helpful, many of the traditional cyber KPIs are highly technical and fail to communicate tangible insights to those without the relevant expertise or training, consequently enlarging the gap that had previously disconnected chief information security officers (CISOs) from board members.
Nevertheless, there are countless CISOs working with boards worldwide across industries who have recognized this communication challenge and taken proactive measures to learn how to talk about security in broader business terms, leveraging strategic cyber metrics that resonate with board members and minimizing the divide between technical cybersecurity details and overarching goals.
On a mission to uncover the cybersecurity metrics and communication tactics that are most effective in the boardroom – those that help CISOs achieve their departmental goals while enabling board members to tangibly understand cyber risk exposure – Kovrr reached out to leading cybersecurity practitioners. We sought to gain deeper insights into what truly works for bridging the gap between cyber complexities and strategic oversight and to share these findings with others who may still be facing similar obstacles.
While we received many valuable responses, this article highlights insights from the following experts:
Each of these cybersecurity leaders answered three questions.
Through their responses, these seasoned CISOs offer practical guidance to others, sharing their personal experiences on what has worked best to effectively communicate cyber risk at the board level. They emphasize strategies for translating technical cybersecurity concepts into business-relevant insights to enhance collaboration with board members.
Plainly, choosing the right cybersecurity metrics is essential for ensuring board members have a clear understanding of the organization’s cyber risk landscape. Otherwise, CISOs risk perpetuating the misconception that cyber is a resource drain, one that is too complex to be integrated within the larger enterprise risk management (ERM) strategy.
“Boards care about scorecards more than technical metrics. [They want to know if] we’re on track against what we said – operationally, financially, and for the overall program. They don’t want to see phishing click rates or awareness training percentages…[and] they don’t care about 33 million firewall blocks in the last month. They only want to know the things that had a business impact!”
“Risk appetite alignment metrics…which highlight the current risk exposure as it relates to the expectations set by the board. I often refer to items captured on the risk register and the status of their remediation. I also present new threats related to risk that leaders had previously accepted….Tracking risk reduction or increase over time is also important because it provides the board with a dynamic view of how the organization’s cyber risk posture is evolving and the strengths and weaknesses in cyber risk management.”
“When it comes to communicating the organization’s cybersecurity posture to board members, we need to consider metrics that are closely aligned with the business goals and risk appetite, preferably quantifiable. Some of the metrics I would recommend are:
“CISOs need to balance their messaging to the board without giving them too many details as to what is happening at the back end of their shops. Contrary to public belief, the board doesn’t need or want all of the details on a cybersecurity incident…The CISO should focus the metrics on anything that impacts revenue, fraudulent activities, or brand reputation – that’s it. The board will ask questions as needed regarding the information presented. Experienced CISOs know how to offer a concise conversation.”
Boardroom reporting and high-level communication are skills that don’t necessarily come naturally, especially to those accustomed to demonstrating their value using technical and operational terms. Learning how to speak the language of the board is a trial-and-error- process and requires CISOs to continuously review and adapt their mindsets.
“When board members are confused or getting bogged down by some technical aspect, that’s when I say, ‘Okay, let’s stop talking about risk and start talking about money.” [Money] is what these stakeholders care about, and when I start talking about money and how we’re going to save money, it changes the entire conversation and board members start to understand.”
“I once presented the number of detected vulnerabilities and the volume of phishing emails blocked. While these metrics seemed important from a technical standpoint, they didn’t resonate with the board, as they lacked clarity on how these numbers impacted business risks. After recognizing this, I shifted my approach for future meetings.
Instead of focusing on raw numbers, I emphasized the percentage of critical vulnerabilities remediated and the effectiveness of employee phishing awareness. I also started using metrics like “Mean Time to Detect” and “Mean Time to Respond” to show how prepared we were to handle incidents that could disrupt operations.”
“CISOs learn the hard way [about the importance of choosing the right metrics] after the first time that they are asked to attend an executive meeting (not a board meeting), and the level of detail they provide causes concern and angst. The best advice here is to not go into too many details and to stick with high-level metrics regarding what the GRC team is working on and anything to do with sales and the size of the deal…Again, this information should be focused on impacts on revenue or brand reputation.”
“Early on, I presented highly technical metrics such as firewall rule counts, vulnerability scan totals, and intrusion attempts detected. These were important from an operational perspective but didn’t resonate with the board because they didn’t tie directly to business impact.
To address this, I shifted my communication to focus on metrics that aligned with business outcomes. For example, instead of discussing vulnerability scan counts, I framed the discussion around risk reduction—how patching vulnerabilities minimizes the likelihood of a costly breach.
I also used relatable analogies. For example, I compared patch management compliance to regular health check-ups in a doctor’s office. Just as routine check-ups prevent minor issues from escalating into serious health problems, regular patching prevents small vulnerabilities from being exploited.”
“The hardest metrics have been around vulnerability and patch management and how certain vulnerabilities can result in risks to operations, financial standing, and/or reputation downstream. If I was unsuccessful in communicating these risks, I would go back to my teams and ask them to help me explain the risk in different terms using analogies. I always try to tie technical concepts to areas that everyone can identify with, such as protecting one’s home or the assets inside.”
Board members are increasingly seeking clarity around their organization’s cybersecurity posture, but only around specific areas such as risk exposure and preparedness. Knowing the questions they’re most likely to ask not only allows CISOs to anticipate concerns and provide more targeted answers but also offers insights into how to adopt a ‘business-first’ mindset.
“Board members commonly want to understand their overall risk profile or how vulnerable the organization is to specific cyber threats. For example, what are our biggest cybersecurity risks, and how are we addressing them? As the risk profile of an organization is dynamic and changes over time, providing regular updates on the risk profile (quarterly or biannually), highlighting emerging threats, and the effectiveness of the current security program is important.
The board might also be interested in learning how their organization’s security posture is benchmarked compared to industry peers. Benchmarking allows the board to understand if their performance is up to par or if there are gaps that need addressing or areas for improvement.”
“Board members often ask the following questions:
“They truly want to know what the risks are, how we’re managing them, what events are likely to happen that would create a material impact, and how resilient our program is if any of these scenarios occur. The board sets the security risk appetite and defines tolerances. I build my program around those policies and guidelines.”
“The most common questions I receive from board members about the organization’s cyber risk exposure usually focus on understanding the real business impact rather than technical specifics. They often ask, “What are the most critical risks we face right now?“—wanting to know which vulnerabilities or threats could significantly disrupt the business rather than just how many were detected.”
As CISOs slowly but surely embed cyber risk management into high-level decision-making processes, board members, too, want to know how to incorporate it into their governance and oversight programs. This growing demand, as the experts have pointed out, requires that cybersecurity leaders shift their focus away from technical jargon and instead present metrics and KPIs regarding their organization’s cyber exposure in a manner that aligns with strategic business goals.
Indeed, boards are no longer content with accepting a CISO’s technical terms at face value – terms that often hold little meaning for them and risk isolating cybersecurity from broader business discussions. Instead, they seek a deeper, more tangible understanding of how cyber risks directly impact the business’s bottom line, such as how an event may affect revenue, reputation, and operational resilience.
Those CISOs that have been successful in the boardroom have learned through experience that the key to effective communications lies in migrating away from complex operational metrics and towards this broader business language. By doing so, they’ve managed to foster more informed discussions, enabling the board to recognize that cybersecurity is not a resource drain but, rather, a critical enabler of long-term market success.
One of the most straightforward means of translating the more technical aspects of cybersecurity into terms that resonate with the board is to harness on-demand cyber risk quantification (CRQ). CRQ offers easily communicable insights into an organization’s unique cyber risk exposure, such as the likelihood of various events and loss scenarios occurring, along with the respective financial and operational damage.
To learn more about how CRQ can help you bolster board-level discussions and position cybersecurity as a strategic business enabler within the broader ERM context, schedule a free demo with Kovrr today.