Most CISOs walk into the boardroom armed with metrics that boards don’t understand and leave frustrated when cybersecurity budgets get deprioritized.
Laura I. Harder, Vice President of ISSA International and an offensive cyber officer in the Air Force Reserves, has spent over 20 years leading cybersecurity teams across healthcare, federal, and private sectors. She’s seen this pattern repeat itself in organizations of every size.
Technical leaders speak in terms of vulnerabilities, exploits, and endpoint protection. Boards think in terms of revenue risk, operational disruption, and competitive positioning. When those two do not align, organizations face heightened exposure to cyber risks like ransomware. When they do align, it can prevent breaches and accelerate decision-making.
Research from the University of Adelaide Business School reinforces this gap, finding that CEOs and CFOs with IT expertise are significantly more likely to prioritize cybersecurity investment and identify critical risk‑mitigation strategies—evidence that business leaders must understand technology for cyber programs to succeed.
Translate Cyber Risk Into Business Impact
The fastest way to lose a board’s attention is to lead with technical detail.
Harder illustrates the needed reframing:
“Instead of saying, ‘We’re seeing increased ransomware activity targeting our endpoints,’ say, ‘There’s a rising risk of business disruption due to ransomware targeting systems like ours, which could impact revenue and operations for days,'” she explains. “Make it feel real, relatable, and rooted in impact.”
This shift moves cybersecurity from a back‑office function to a core component of fiduciary responsibility. Boards understand revenue loss, operational downtime, and reputational damage. When threats are framed in those terms, budget conversations change dramatically.
Harder also connects cybersecurity directly to strategic objectives. Organizations driving digital transformation, expanding customer-facing platforms, or navigating regulatory changes all rely on a strong cyber posture. Typically, IT investments are seen as a revenue generator and provide the business with a certain return on investment. Cybersecurity tools are seen as a cost center and defensive measure against cyber risk. With limited budgets, businesses need to find a balance between the need for innovation and protection. “I’ve seen organizations shift from reactive to proactive once they understood how cyber investments protect competitive advantage and enable innovation,” she notes after working with a private sector client launching new digital services.
Build Year-Round Engagement, Not Annual Check-ins
Another breakdown happens when cybersecurity becomes a once-a-year agenda item. Boards receive an annual briefing, approve the budget, and move on. By the next meeting, the threat landscape has evolved, new vulnerabilities have emerged, and boards are making decisions with outdated information.
Harder advocates for continuous engagement. Structured predictable touchpoints throughout the year that keep cyber risk visible and boards informed on emerging threats. This can include quarterly briefings on AI-driven attacks, supply chain compromises, or regulatory shifts. A quarterly high-level strategic threat intelligence briefing summarizing emerging risks trends in their specific industry and potential business impacts. Other options that are more engaging can involve board-inclusive cyber exercises, allowing directors to experience incident response in practice, not theory.
“When boards are engaged year-round, they make faster, more informed decisions,” Harder observes, recalling a federal contractor that dramatically accelerated its approval process for critical investments once its board had ongoing context rather than once‑a‑year updates. Instead of waiting months for board approval on critical security investments, leadership could move quickly because the board already understood the context.
Cybersecurity Is a Leadership Issue, Not a Tech Problem
The role of the modern CISO extends far beyond securing infrastructure. It requires translating complex, evolving threats into business language that drives board-level action. It is said that “if you can’t explain it to a six-year-old, you don’t understand it yourself”. As Harder emphasizes, leaders cannot assume shared vocabulary or technical fluency. Instead of jargon and acronyms which are common in military and technical settings, security leaders should use simple analogies, clear explanations, and contextual framing. Technical depth should only be added when the entire room can follow.
In the end, positioning cybersecurity as a strategic enabler, not a compliance burden elevates it to where it belongs: at the core of business resilience and growth. And sustained board engagement keeps directors informed and equipped to make rapid, informed decisions when threats emerge.
“Our role is to elevate the conversation from the server room to the boardroom. By translating technical risk into business relevance, aligning with strategic goals, and engaging consistently, we empower our boards to lead with confidence in an age of uncertainty,” Harder concludes.
In the end, cyber isn’t a tech issue. It’s a leadership concern. Leaders who can’t communicate risk in business terms will always struggle to secure the resources, influence and support their organizations need.
Connect with Laura I. Harder on LinkedIn for more insights.
