Beyond One Way Reporting How The CISO Board Relationship Must Evolve For Modern Security

The Evolving Landscape of Board-CISO Relations

David Gee's recent article in CSO Online, "What CISOs need from the board: Mutual respect on expectations," arrives at a crucial moment for corporate governance and cybersecurity leadership. As regulatory pressure mounts and cyber threats grow more sophisticated, boards are intensifying their scrutiny of cybersecurity practices—and by extension, their Chief Information Security Officers (CISOs). What makes Gee's analysis particularly valuable is his emphasis on the reciprocal nature of this relationship: while boards rightfully expect much from their CISOs, effective security leadership also requires specific support from the board.

This mutual dependency creates a dynamic that many organizations are struggling to navigate. As a former CISO at a Fortune 500 company, I've witnessed firsthand how this relationship can make or break an organization's security posture. When it works well, the CISO-board relationship creates a virtuous cycle of strategic alignment, appropriate risk management, and resilient security operations. When it fails, the consequences can be devastating, as numerous high-profile breaches have demonstrated.

As regulatory frameworks like the New York Department of Financial Services (NYDFS) modifications to 23 NYCRR Part 500 and Australia's updated Cyber Security Bill push for stronger board engagement on cybersecurity, understanding this relationship becomes more than just good practice—it becomes a compliance requirement. Let's explore what both sides of this critical partnership need, where the relationship commonly breaks down, and how leading organizations are creating models of successful collaboration.

The Board's Evolving Cybersecurity Mandate

The heightened attention boards are paying to cybersecurity isn't happening in a vacuum. According to Gartner's 2022 Board of Directors Survey, 88% of board members now classify cybersecurity as a business risk rather than solely a technical issue. This represents a significant evolution in how boards perceive cybersecurity—from an IT problem to an enterprise-wide risk management challenge with direct implications for shareholder value, regulatory compliance, and business continuity.

This shift has been accelerated by several factors:

• Regulatory pressure: Beyond the NYDFS regulations and Australian legislation mentioned by Gee, the SEC's new cybersecurity disclosure rules in the United States now require public companies to disclose material cybersecurity incidents and provide detailed information about their cybersecurity risk management strategies. This places board members under increased scrutiny regarding their cybersecurity oversight.
• Financial consequences of breaches: The average cost of a data breach reached $4.35 million in 2022, according to IBM's Cost of a Data Breach Report. This financial impact directly affects metrics boards care about, including shareholder value and profitability.
• Personal liability concerns: As Gee correctly notes, board members face personal liability related to cybersecurity governance. Cases like the Equifax breach have led to shareholder derivative lawsuits naming board members personally for alleged failures in cybersecurity oversight.
• Competitive differentiation: Organizations with strong security postures increasingly enjoy market advantages in sectors where data protection is paramount, such as financial services, healthcare, and critical infrastructure.

These factors combine to create what the National Association of Corporate Directors (NACD) has termed "a new board imperative" around cybersecurity governance. The NACD's Cyber-Risk Oversight Handbook now recommends boards treat cybersecurity as an enterprise risk management issue requiring regular board attention and expertise.

What Boards Expect from CISOs: Beyond Technical Expertise

Gee accurately captures the core expectations boards have of their CISOs, but additional context helps explain why these expectations are intensifying. Boards today expect CISOs to serve as strategic business leaders rather than just technical experts—a transformation that many security professionals find challenging.

Clear Risk Communication

The ability to translate complex cybersecurity concepts into business terms isn't just a nice-to-have skill; it's fundamental to a CISO's effectiveness. When CISOs fail to communicate clearly, boards can't effectively fulfill their risk oversight responsibilities.

A McKinsey study found that when CISOs present to boards, only 10% of board members fully understand the information shared, while 55% find cybersecurity reports overly technical and difficult to act upon. This communication gap represents a significant governance risk.

Effective CISOs have learned to frame security in business terms by:

• Expressing risks in financial impact terms rather than technical vulnerability scores
• Using business-relevant benchmarks and peer comparisons rather than technical metrics
• Explaining how security initiatives enable business goals rather than just reducing threats

Strategic Leadership and Business Alignment

Boards increasingly expect CISOs to demonstrate how security enables business strategy rather than simply protecting against threats. This requires a fundamental shift in how many CISOs approach their role.

As one board member of a major financial institution told me, "We don't want a CISO who just says 'no.' We want someone who can help us say 'yes, safely' to business innovations."

This expectation requires CISOs to develop deep business acumen alongside their technical expertise. Those who succeed are actively involved in business strategy discussions, digital transformation initiatives, and merger and acquisition activities—providing security guidance that enables business objectives rather than merely identifying risks.

Compliance and Governance Assurance

The regulatory landscape for cybersecurity has grown dramatically more complex. The EU's GDPR, California's CCPA, New York's SHIELD Act, and industry-specific regulations like HIPAA create a complex compliance matrix that boards expect CISOs to navigate confidently.

When boards receive regulatory findings addressed directly to them, as Gee notes, they need assurance that the CISO understands these requirements and has implemented appropriate controls. This creates pressure for CISOs to maintain comprehensive compliance programs with clear documentation and regular assessments.

Incident Preparedness and Response Capabilities

The inevitability of security incidents has shifted board expectations from "prevent breaches" to "respond effectively when breaches occur." This explains why boards are increasingly asking to review incident response plans and participate in tabletop exercises.

A 2023 PWC Digital Trust Insights survey found that 69% of boards now expect to be directly involved in incident response planning, up from 25% five years ago. This involvement isn't merely symbolic—board members increasingly understand their critical role in crisis communication, regulatory reporting, and strategic decision-making during major security events.

Business Enablement Through Security

Perhaps the most significant evolution in board expectations is the view that security should enable rather than inhibit business growth. This represents a paradigm shift from security as a cost center to security as a business enabler.

Boards are asking CISOs to demonstrate how security investments provide competitive advantages, enable new business models, and protect emerging technologies like AI and IoT. This requires CISOs to develop metrics that demonstrate security's contribution to business value, not just risk reduction.

What CISOs Need from Boards: The Often-Overlooked Half of the Equation

While boards have legitimate expectations of their CISOs, Gee's most valuable insight is highlighting what effective CISOs need from their boards. These requirements aren't simply CISO "wish lists"—they're essential components of effective cybersecurity governance.

Strategic Direction Aligned with Risk Appetite

CISOs need boards to clearly articulate the organization's risk appetite related to cybersecurity. Without this guidance, CISOs are forced to make critical security decisions based on assumptions rather than board-approved parameters.

Leading organizations are addressing this through formal risk appetite statements that explicitly define acceptable and unacceptable risks. For example, JPMorgan Chase's board has established specific cyber risk tolerance thresholds based on potential financial impact, reputational damage, and operational disruption. This gives their security team clear parameters for decision-making.

The alternative—CISOs operating without clear risk guidance—often leads to excessive security restrictions or dangerous gaps in protection. As one CISO of a healthcare organization told me, "Without board-level guidance on our risk appetite, I'm flying blind on how much security investment is appropriate versus excessive."

Cultural Reinforcement and Tone from the Top

Security culture requires board-level reinforcement to be effective. While CISOs can establish security policies and training programs, they need boards to reinforce the importance of security through consistent messaging and accountability mechanisms.

Microsoft provides an instructive example of how this works in practice. Their board's Regulatory and Public Policy Committee receives quarterly cybersecurity briefings and regularly communicates the importance of security to shareholders and employees. This board-level emphasis creates an organizational culture where security is viewed as everyone's responsibility.

When boards fail to set this tone, security becomes viewed as an IT department responsibility rather than a business imperative. This cultural disconnect creates fertile ground for the human errors that contribute to most security breaches.

Clear Mandate with Appropriate Authority

Perhaps the most critical need—and the one most frequently unmet—is for CISOs to have appropriate organizational authority backed by a clear boar...