The changing language of cyber: communicating with the board

There’s no doubt that cyber-attacks directly impact company revenue and reputation. The results are clear to see: Jaguar Land Rover (JLR) has revealed a 24.2% drop in volume sales in the three months up to September 30, largely as a result of the ongoing cyber incident.

The downstream costs of the August breach could be even higher. Based on the substantial disruption to JLR’s manufacturing and supply chain, the attack could end up being the most expensive cyber event in British history, costing between £1.6 billion and £2.1 billion, according to the Cyber Monitoring Centre.

IBM’s Cost of a Data Breach report estimates the average cost of an incident is $4.44 million in 2025. Meanwhile, cybersecurity spending is set to increase globally to 12.2% this year to reach over $377 billion by 2028, according to analyst IDC.

Yet with technology such as AI fuelling attacks, incremental increases in spend do not always match the threats chief information security officers (CISOs) face. Despite incidents such as JLR putting the cost of cyber attacks in the headlines, CISOs often find they are expected to ensure resilience against increasing threats with minimal or no budget increase.

It’s clear CISOs now need to change the conversation at board level to convince company executives that cybersecurity is worth the investment. But currently, many boards fail to properly understand the role of security in the company.

Not a strategic investment

The area is often viewed as “a cost center rather than a strategic investment”, says Meredith Griffanti, global head of cybersecurity and data privacy communications at FTI Consulting.

Adding to the issue is poor communication between CISOs and the board. “Security teams and boards often speak completely different languages,” Scott Walker, chief architect at Orange Cyberdefense points out. “While CISOs talk about vulnerabilities and threat vectors, boards are interested in revenue, margin and risk exposure.”

Making things worse, CISOs often use long PowerPoint presentations, which fail to gain the board’s attention. This leaves executives “unsatisfied”, while the CISO’s key points are unheard, says Griffanti.

At the same time, CISOs can struggle to demonstrate return on investment (ROI) needed to encourage increased spend. “Instead of circling back to show progress on something that was funded, they’re showing up with the same long PowerPoint, perpetuating the problem,” according to Griffanti.

CISOs are often from a very pragmatic and helpful background – but this can be used against them, says Kristina Holt, cybersecurity expert and managing associate at law firm Foot Anstey. “I've seen examples of CISOs inadvertently taking risk upon their own shoulders, or allowing what should be short term mitigations to stay in place for too long, because they didn't want to be seen as difficult.”

Convincing the board

To change the conversation and convince the board of the need to invest, CISOs can use case studies to illustrate specific points, and talk about the consequences, says Ben Davison, founder of Axiologik.

For example, a lack of multi-factor authentication (MFA) at Colonial Pipeline led to its notorious 2021 breach, for which a $4.4 million ransom was paid.

Meanwhile, technical models can be used to quantify ROI for security investments, including return on security investment (ROSI), says Davison. “This quantifies the cost of investments in controls versus the likely impact if the investment wasn’t made,” he explains.

As part of quantifying the risk in terms boards will understand, Davison advises asking: “How susceptible are we to phishing? If someone got into our network, how susceptible would we be to a ransomware attack? How easy would it be to exfiltrate data? How confident are we that we could recover our services?”

CISOs should strive to create a “simple, repeatable framework” for board reporting, says Griffanti. “The presentation should consider the current threat environment, the company’s risk profile, and what mitigation measures are being deployed to defend it,” she advises.

Meanwhile, Griffanti suggests laying out key initiatives year on year. “Regularly return to those for progress updates. If certain initiatives are behind schedule, explain why and what is needed to get back on track.”

CISOs can also benefit from using “creative strategies”, she says. For example: “Bringing in industry partners to help emphasize certain points, or identifying a particular director to help them become cyber-savvy and an advocate on the board.”

Boost security on a budget

Even with increased investment, the current business landscape means budgets are likely to remain tight, at least for a while. With this in mind, organizations should take a risk-based approach, ensuring they’re focusing on “the fundamentals of a solid cyber program”, says Griffanti.

This starts with an asset inventory, so the cybersecurity team knows what they need to protect, she explains. Other basics such as “strong access controls” and “a meticulous patch management program” should also be top of the list, according to Griffanti.

When budgets are limited, firms need to focus on “the best bang for your buck”, says Davison. “You cannot fully eliminate risk, so you first have to prepare for the worst and prioritize those existential issues. This means ensuring your data is backed-up and ransomware protected, and you’re implementing controls and monitoring to protect against data exfiltration. It also means you know how to restore your services in the event of a breach.”

Employee awareness training and engagement with leadership on today’s threats are “another must”, according to Griffanti. At the same time, ensuring incident response and crisis communications plans are in place and are regularly tested will help to ensure operational and reputational resilience, she adds.

It makes sense to invest in initiatives such as firewalls, cyber training and encouraging the workforce to “take pride in good cyber and data security”, says Cate Pye, global lead for digital trust and cyber security at PA Consulting.

CISOs should also strive to offer more visibility to the information security team, according to Pye. She recommends making cybersecurity team members “more accessible”, while encouraging the workforce to come forward and report data or cyber security issues. “This vastly expands the ability of the security team to respond to and identify risks across the organization by making it a whole workforce effort.”