When it comes to cybersecurity, there’s often a language barrier between technical teams and the board of directors. While you’re talking about phishing, zero-day vulnerabilities, and lateral attacks, they’re thinking about budgets, growth, and reputation. Bridging this gap is crucial because if the board doesn’t understand the risks, they won’t back the resources you need to defend the company. So, how do you communicate cybersecurity risk to a boardroom of non-techies? Here are some pointers.

Know Your Audience

The board isn’t interested in firewalls or penetration testing jargon. They care about:

  • Business Impact: How does this risk affect revenue, reputation, and operations?
  • Regulatory Concerns: Will this get us fined or flagged by regulators?
  • Strategic Alignment: How does addressing this risk fit into the company’s goals?

Start by framing cybersecurity in terms they understand: business value and risk management.

Speak Their Language

Drop the tech acronyms and focus on clear, relatable language. For example:

  • Instead of “DDoS attacks,” say, “A disruption that could make our website unavailable, leading to lost sales.”
  • Instead of “data breach,” say, “Unauthorized access to sensitive customer data, which could result in legal penalties and damage our reputation.”

Translate cybersecurity threats into business risks and opportunities for resilience.

Prioritize and Quantify Risks

Not all risks are equal. The board wants to know where to focus their attention. Here’s how to make your case:

  1. Prioritize Risks: Use frameworks like NIST Risk Management Framework to rank risks based on likelihood and impact.
  2. Quantify: If possible, assign a dollar amount to potential losses. For example, “A ransomware attack could cost us $3 million in downtime and recovery”. Multiple methodologies have been proposed for cybersecurity risk quantification, however, in practice, they require either complete and perfect data or provide fuzzy outcomes. Until we improve or build better methodologies, my advice is: use common sense and focus on strategic risks.

Provide Visuals

Most people process information visually. Use:

  • Charts and Graphs: Show trends in attacks, defense efficiency, and compliance.
  • Heatmaps: The cyber illuminati are split on this one. Some love them, some hate them. The idea is to visually highlight the most critical risks.
  • Case Studies: Share examples of similar companies impacted by the risks you’re discussing.

Make it simple, but impactful. Avoid overwhelming them with too much data on a single slide.

Highlight Solutions, Not Just Problems

No one likes a doomsday messenger. Always pair risks with solutions:

  • “Our outdated software poses a risk, but migrating to the latest version can reduce our exposure by 70%.”
  • “Phishing attacks are on the rise, but implementing employee training can reduce click rates by half.”

This approach reassures the board that the team is proactive, not just reactive.

Emphasize ROI on Cybersecurity Investments

Cybersecurity is often seen as a cost center, so you need to show the return on investment (ROI). For example:

  • “Investing in threat detection tools can prevent incidents that cost 10x more to fix after the fact.”
  • “Spending $200k on endpoint security could save us millions in ransomware payouts.”

Make cybersecurity spending feel like an investment in the company’s future, not just a line item. Ensure the risks you’re mitigating align with the business strategy and priorities.

Prepare for Tough Questions

The board will ask questions like:

  • “How does this compare to our competitors?”
  • “What’s our exposure to regulators?”
  • “Are we spending enough, or too much, on cybersecurity?”

Be ready with concise answers and supporting data. If you don’t know something, admit it but promise to follow up.

Foster a Culture of Security

Encourage the board to:

  • Make security a core value, especially in high-risk industries.
  • Back policies that encourage accountability across teams.
  • Support ongoing education for both employees and leadership.

Takeaway

Communicating cybersecurity risk to the board isn’t just about sharing facts, it’s about telling a compelling story. Frame cybersecurity as a critical enabler of business success, not just an IT issue. And like any other relationship, it takes time and hard work to build one with the board.