Encourage Board Members to Get Onboard With Cybersecurity

Encourage Board Members to Get Onboard With Cybersecurity

The average cost for a data breach in the United States is $9.44 million – more than twice the global average of $4.35 million for such an incident. In the U.S. alone, nearly seven breach notices took place each business day in 2022.

If those numbers don’t concern board members, what will?

Data breaches make daily headlines. In January 2023, T-Mobile, MailChimp and Chick-fil-A were among the big brands that took a hit. But cyber criminals don’t discriminate according to size – small- to medium-sized businesses are at risk too.

Yet at many companies, cybersecurity talk is just that – talk – by boards of directors. It should be a board-level obligation to ensure cybersecurity is taken seriously, especially with data breaches increasing in size, sophistication, frequency, cost and severity.

Here are five tips CISOs can use to help board members better understand the importance of doing more than talking the talk – but walking the cybersecurity walk.

1. Explain the evolving threat landscape

Hackers have a unique mindset, and they don’t follow the rules. They are smart and adopt tech faster than most. These bad actors will worm their way into organizations any way they can – often through employees’ emails.

Therefore, hammer it in that cyber risk management should be an integral part of business strategy. It can’t be relegated to the IT team alone. Organizations – with their boards’ backing – must proactively adopt and implement cybersecurity readiness plans and defense measures.

2. Avoid tech talk – speak their language

It’s challenging for CISOs to communicate the value of investing in cybersecurity to the board. Sometimes, board members come from non-technical backgrounds and simply lack experience in the security arena. They may not have a clear picture of the relationship between cybersecurity and business health.

As such, avoid jargon and acronyms. Clearly convey how cybersecurity measures support company priorities and protect brand reputation. Don’t get into the weeds with too many technical details.

3. Use data and metrics

Since boards are concerned about finances, substitute tech talk with ROI. Use data that connects back to the business. Provide metrics centered on creating revenue, improving margins and mitigating risk – demonstrate how having strong security can be a competitive differentiator for the business.

While it can be challenging to quantify risk, consider building key risk metrics that can be measured and presented over time. Some cybersecurity leaders even use maturity models demonstrating quarterly trends and showing how their initiatives mature. Boards are often interested in seeing how the business compares to the industry. Having these metrics and reference models gives them a sense of where the business stacks up and where the gaps are.

4. Provide real-world examples

Password manager LastPass last year informed customers their information was accessed during a security breach. A hacker accessed unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, IP addresses and phone numbers. When Twitter was hacked (again), the company was given the title of first data breach of this year.

Bring incidents like these up to board members, then follow up and ask, “What would happen if we were the ones making the headlines? How many stakeholders and how much money would we lose?” Posing such questions brings the potential of a cyberattack much closer to home – even when the industries are vastly different.

5. Communicate consistently and frequently

Rather than wait for a board meeting, establish a regular cadence about cybersecurity. Explain what measures the security team has implemented company-wide – from training employees on how to avoid phishing attacks to mandating laptops are securely managed if offsite to how spending X amount on cybersecurity software could potentially save the company X dollars on cyber insurance or the next big incident.

Be prepared

As high-profile cyberattacks continue and escalate, the role of the CISO has become business-critical. And while winning over the board of directors might not be easy for CISOs, it’s doable. Start by using the five tips just covered.


Explore More


James Edgar

James Edgar, Senior Vice President and Chief Information Security Officer, FLEETCOR

James Edgar is an IT security and risk professional with extensive background in network engineering, security architecture, policy, risk, compliance and management. James has more than a decade of experience, which has included roles rangi... More   View all posts


Cigniti-Kobiton-Webinar-364776185-experience-digital-assurance-with2 - MPU 300X250
James Edgar


Not Member Yet?


  • Name

  • Contact Info

  • About Yourself

  • Minimum length of 8 characters
  • Upload
  • Location

  • Professional Background

  • Other Social Profiles

  • Areas of Interest