Bridging the Cyber Communication Gap: How to Talk to Your Board About Risk

Cybersecurity is no longer just an IT issue; it's a critical business risk that demands attention from the highest levels of an organization. Yet, many cybersecurity practitioners struggle to effectively communicate these complex threats to their boards and executive teams. This blog post distills key insights from a recent webinar with Stephen de Vries, CEO at IriusRisk and Matthew Treagus, Independent Cybersecurity Consultant, offering practical advice on how to translate technical cyber risks into clear, actionable business language.

Understanding Your Audience: Boards vs. Executive Teams

A crucial first step is to understand the distinct roles and concerns of your audience. In larger organizations, boards and executive teams are quite separate. Boards represent shareholders and are primarily focused on governance, approving strategies, setting budgets, and overseeing the business's overall health and risk profile. Executive teams, on the other hand, manage the day-to-day operations.

This distinction means your messaging needs to adapt. When speaking to the board, the focus should be on the business implications of cyber risk, not the technical intricacies. If your audience isn't understanding, the communicator is failing.

What Boards Really Want to Hear

During the recent CISO webinar, Tregus recounted a striking experience where a board chair simply asked, "Matthew, just tell me this is going to be okay." This reveals a fundamental truth: boards often don't understand the scope of cybersecurity technologies or risks. They know it can have a significant negative impact, and they want reassurance and a clear path forward.

The core challenge lies in translating technical jargon into business language. Boards are concerned with:

• Risks to Revenue: How will a cyber incident impact our ability to operate, bill customers, or sell products?
• Unplanned Costs: What are the financial repercussions of an attack, including investigation, recovery (hardware, systems, extra personnel), contractual penalties, and regulatory fines?
• Reputational Damage: If an incident becomes public, how will it affect customer trust and the company's brand? Matthew cites the example of a UK real estate transaction business that faced potential collapse after a ransomware attack because it eroded trust in a time-critical service.

Instead of using hyperbole or trying to artificially quantify every risk, be specific about the nature of the cost and implications. For example, a "six-week recovery would mean we'd have to bring consultants in, and large chunks of our infrastructure team wouldn't be building the product, they'd be building this instead." This paints a clear picture of the operational and financial impact without getting bogged down in technical details.

‍

Oversimplify, Then Add Detail

A common communication pitfall is offering too much detail upfront. Start at a basic level and then add detail only when questions arise. This allows the board to grasp the core message before delving into specifics. The goal is to advise and direct, not to turn them into subject matter experts.

Seeking Guidance and Building Relationships

Finally, don't go it alone. Find trusted senior executives—like the CFO, general counsel, company secretary, or chief of staff—who understand how the board operates. These individuals can provide coaching on how to communicate effectively and even offer one-on-one time with board members to discuss complex or contentious issues. Often, board members will ask questions in private that they wouldn't ask in a public meeting, highlighting the importance of these informal channels.

By adopting these strategies, cybersecurity professionals can move beyond technical explanations and engage boards and executive teams in meaningful conversations about cyber risk, ultimately strengthening the organization's resilience.

Watch the webinar in full here to learn even more tips that you can use to communicate effectively: https://www.google.com/url?q=https://youtu.be/-ZZFOt5jMgI?si%3Ds_T8cv6-r-l4dm8c&sa=D&source=docs&ust=1759229257700511&usg=AOvVaw36K2mvEJKjtbbqV94d1SWF