The CISO’s Dilemma: Speaking Security in a Boardroom That Only Hears Revenue
I’ve sat in enough boardrooms to know how the story goes.
You prepare for weeks. You build the deck. You map the threats, quantify the risks, present the roadmap. You walk in confident. You walk out with 30% of the budget you asked for and a polite suggestion to “prioritize.”(Schmitz-Berndt, 2021)
Three months later, something breaks. And suddenly everyone wants to know why security wasn’t taken seriously.
Sound familiar?
The problem isn’t technical. It’s linguistic.
Boards are not incompetent. They are laser-focused on what they are accountable for — revenue, growth, shareholder value, regulatory exposure. When a CISO walks in talking about CVEs, threat actors, and zero-day vulnerabilities, the board doesn’t tune out because they don’t care. They tune out because they genuinely don’t know what to do with that information.
We are speaking Portuguese in a room that only understands Greek.
The gap between the CISO and the board is not an intelligence gap. It is a translation gap. And for too long, we have expected the board to learn our language instead of learning theirs.
What boards actually respond to
Forget the technical jargon. Start asking yourself one question before every board presentation: “So what does this mean for the business?”
A ransomware risk is not a technical problem. It is 72 hours of operational downtime, €2M in recovery costs, and your company’s name in every major newspaper. Say that instead.
A missing patch management process is not a vulnerability gap. It is a direct NIS2 compliance violation that exposes your board members to personal liability. Say that instead.
Regulatory frameworks like NIS2 are actually a CISO’s best friend in the boardroom — not because compliance is the goal, but because liability gets attention that threat intelligence never will. When board members understand that a security failure can land on them personally, the conversation changes fast.
The other side of the problem
Here is something we don’t say out loud enough: sometimes we make it worse.
We present problems without options. We ask for everything and explain nothing. We lead with worst-case scenarios and then wonder why the board becomes numb to the alarm bells.
The most effective CISOs I know present like business executives, not security engineers. They bring three options with clear trade-offs — not one “right answer.” They quantify risk in euros, not CVSS scores. They connect every recommendation to a business outcome the board already cares about.
They make it easy to say yes.
What I have learned
After more than two decades in cybersecurity — across SaaS, energy, transportation, and critical infrastructure — the hardest lesson I had to learn was this:
My job is not just to protect the organization. My job is to make the board capable of making informed decisions about risk.
That is a fundamentally different mandate. And it changes everything about how you walk into that room.
Stop trying to make them afraid. Start trying to make them informed. Fear creates paralysis. Information creates decisions.
Three things you can do starting Monday
First, audit your last board presentation. Count how many times you used technical terminology without a business translation. That number is your communication gap.
Second, find your CFO before your next board meeting. Understand what financial risks keep them up at night. Then connect your security roadmap directly to those risks. You will be speaking their language before you even enter the room.
Third, stop presenting problems. Start presenting choices. “We can accept this risk, mitigate it with X investment, or transfer it through insurance — here are the trade-offs.” Boards are decision-making bodies. Give them something to decide.
The bottom line
The board is not your obstacle. The board is your most important stakeholder — and right now, most of us are failing to communicate with them effectively.
The organizations that will navigate the next wave of cyber threats, regulatory pressure, and AI-driven risk are not necessarily the ones with the biggest security budgets. They are the ones where the CISO and the board are actually speaking the same language.
That translation starts with us.