What’s ‘Boardish’ and Why You Should Learn to Speak It Fluently

The board meeting was going well—until it wasn’t. The CFO shifted in their chair, the CEO checked their watch, and the general counsel pursed their lips. You had just finished explaining the latest security risks and vulnerabilities with your thorough, impeccably planned presentation.

And while they nodded and thanked you politely, and maybe even asked you a couple of questions — as they always do—their faces left you with a nagging doubt: how much of it did they really get?

You’re in good – and overwhelmingly common – company.

A snapshot of the industry reveals that the average board member has limited-to-no understanding of cybersecurity: 59% of directors admit they struggle to understand cyber risk drivers, according to a 2022 PwC report.

Moreover, despite growing awareness of cyber risk and cybersecurity being the most challenging area of oversight for corporate leaders, according to the Diligent Institute and Corporate Board Member Survey, boards are not doing enough to bridge the educational and communicational gap:

• Only 47% of board members interact regularly with their CISOs, according to the Harvard Business Review
• Checkmarx’ own 2024 survey of 200 CISOs revealed that 20% of their boards don’t ask about applications security.
• Only 51% of boards reviewed their process for identifying and disclosing a cybersecurity incident, according to a 2025 survey.
• Another study reveals that 60% of board members felt they had insufficient training on cyber resilience in the past year

That is why many CISOs enter the boardroom armed with metrics on attack vectors, vulnerability rates, and compliance checklists, only to be met with confusion or polite indifference.

The issue isn’t that they don’t consider cybersecurity important. In fact, 74% of companies in the Russell 3000 index have codified cybersecurity oversight at the board or committee level. .

But the reality is that most boards are made up of executives with backgrounds in finance, law, and operations — usually not security. For example, consider the board of a publicly traded coffee chain valued at $9 billion (Dutch Bros). Of the ten board members, seven come from retail, two from finance, and just one from cybersecurity, and this is not an outlier.

When a typical board must deal with the topic of cybersecurity in practice, their “complexity aversion bias” kicks in, and they’d rather brush past it to check the necessary boxes, to move on to the topics that are closer to their comfort zone. This self-reinforcing cycle only widens the communication gap and perpetuates the problem.

CISOs live in a world of security frameworks, attack vectors, and risk mitigation. Board members, however, speak the language of EBITDA margins, capital allocation strategies, and competitive market positioning. When this disconnect isn’t addressed, cybersecurity budgets get slashed, critical security initiatives stall, and CISOs are left out of key business decisions.

If security leaders want to get board-level buy-in, they must learn how to translate their messaging to the language that the board would understand. They must master ‘Boardish.’

What’s The Cost of Not Speaking ‘Boardish’

When cybersecurity isn’t communicated effectively, there can be dire consequences:

• Getting security budgets approved is a struggle, and security spending is at constant risk of being deprioritized in favor of revenue-generating initiatives.
• CISOs are sidelined from the strategic decision-making process, often finding out about big moves when they’re already underway and having to adjust on the fly.
• Insurance premiums spike unexpectedly as cyber insurance becomes both more expensive and more restrictive, creating significant budget disruptions.
• Crisis response is chaotic during incidents, directly impacting breach costs and recovery time when boards haven’t authorized proper incident response resources.
• Compliance violations escalate in severity as boards often don’t grasp the difference between technical findings and material violations with financial consequences.
• Competitive disadvantages develop as security becomes a market differentiator, affecting revenue when sales cycles lengthen due to customer security requirements.
• Disconnected risk management frameworks emerge where security metrics don’t align with the enterprise risk appetite the board has established.
• Third-party risk management becomes ineffective as boards approve vendor relationships without understanding the technical security implications.
• Most importantly, no matter what happens along the way, the buck stops with the CISO. They remain accountable for breaches and security failures, even when boards fail to listen, understand, or allocate resources necessary for adequate security measures. This accountability paradox creates a precarious position where security leaders bear responsibility for outcomes they weren’t empowered to prevent—potentially putting their careers, reputation, and even legal standing at risk.

These consequences aren’t just theoretical risks—they represent real business impacts that are ready to materialize at any moment (if they haven’t already) when the translation gap between security and business leadership persists. That’s why mastering ‘Boardish’ isn’t optional—it’s the difference between being viewed as a cost center or a strategic business partner.

So, how does one approach speaking ‘Boardish’?  Recognize that the Board is not one audience.

Board members have different priorities and perspectives. The CFO may worry about financial impact, while the CEO focuses on business continuity and the General Counsel prioritizes regulatory compliance. Think of it as different dialects of ‘Boardish’ – each member speaks the same language, but with distinct vocabulary, concerns, and priorities that reflect their expertise and responsibilities.

Who’s in the Room?

According to Spencer Stuart’s 2024 U.S. Board Index, among newly appointed S&P 500 directors:

• 29% have financial expertise
• 30% are active or retired CEOs
• 19% come from the technology/telecommunications sector

Common Biases

We all have biases, and board members are no exception. Whether conscious or unconscious, these biases shape how they perceive cybersecurity risks and decisions. Biases vary from one individual to another, based on their background, position, current concerns, and more. Understanding these tendencies can help CISOs navigate boardroom discussions more effectively.

Here are examples of the most common biases that can influence cybersecurity conversations at the board level:

• Complexity Aversion Bias: As we mentioned above, board members may avoid engaging with complex cybersecurity issues due to a lack of understanding, leading to oversimplified solutions that fail to address the root causes of security challenges. This bias can result in inadequate security measures and increased vulnerability to sophisticated cyber threats.
• Loss Aversion Bias: The tendency to prefer avoiding losses over acquiring equivalent gains can lead boards to adopt overly conservative cybersecurity strategies, potentially hindering necessary investments in innovative security solutions. This bias emphasizes the fear of potential losses, which can prevent taking calculated risks essential for robust cybersecurity postures.
• Groupthink: The desire for harmony and conformity within the board can suppress dissenting opinions, leading to unchallenged assumptions about cybersecurity risks and a lack of critical evaluation of security strategies. This phenomenon can result in overlooked vulnerabilities and inadequate preparedness for cyber incidents.
• Ambiguity Aversion (Ellsberg Paradox): Boards may favor decisions with known probabilities over those with uncertain outcomes, even if the latter could lead to better security results. This aversion to ambiguity can limit the exploration of innovative cybersecurity approaches that carry uncertain but potentially significant benefits.
• Bikeshedding (Law of Triviality): Boards might spend disproportionate time on trivial cybersecurity issues that they understand better, neglecting more critical, complex matters that require their attention. This focus on minor details can divert resources from addressing significant security threats and processes.

 Typical Personas and How They View Security

As we’ve seen, boards consist of members with diverse backgrounds. Each of these professionals not only brings specific expertise but also distinct perspectives on cybersecurity, that CISOs must learn to recognize and address.

Successfully communicating with your board requires more than generic business language—it demands tailored messaging that resonates with each member’s professional lens and priorities. By identifying these common board personas and understanding what drives their decision-making, you can maximize the chance to impact their decisions and understand the value of your work.

Here are some key common board personalities you’ll encounter, and what drives their decision-making:

The CFO (Financial Expert):  

• Focuses on: Cost and financial implications.
• Wants to know: How this investment prevents financial losses? Will it improve operational efficiency? Why should we prioritize this over other business initiatives?
• Frame security as: A financial safeguard and risk-reduction investment with ROI that exceeds the opportunity cost of alternative investments.

The Former Entrepreneur (Growth-focused):

•  Security risks can derail growth trajectories and damage hard-won market positioning. This persona needs to see security as a deal enabler.
• Frame security as: A value protector that prevents disruptions to growth momentum and preserves the company’s market position and valuation.

The Private Equity Representative:

• Prioritizes investment returns and company valuation.
• Wants to know: How does this security investment protect or increase the value of their investment? Will it improve exit multiples or prevent value destruction?
• Frame security as: A value preservation mechanism that protects the investment from catastrophic risks and maintains the planned growth and exit trajectory.

The Cybersecurity Expert:

• Wants validation that the right technical measures are in place but doesn’t need a deep dive.
• More interested in governance, oversight, and risk management frameworks.
• Frame security as: A strategic program aligned with industry best practices. Demonstrate your point with commonalities and parallels to what they or other respected CISOs did elsewhere.

The Compliance & Audit Specialist:

• Concernedabout regulatory alignment, liability reduction, and avoiding fines.
• Will emphasize compliance-driven security needs, particularly in light of SEC cybersecurity disclosure rules that require timely and accurate incident reporting.
• Frame security as: A compliance necessity that mitigates regulatory risk.

The CEO (Former CRO, Sales-Focused):

• Needs to know how security enhances customer trust, brand reputation, and business continuity.
• Frame security as: A business enabler that strengthens brand and market position.

The COO (Operations-Focused):

• Focuses on resilience and uptime.
• Might ask whether security measures will slow down operations or create inefficiencies.
• Frame security as: A safeguard that ensures operational continuity without disruption.

Actionable Tip: Map the composition of your board and research the board members’ backgrounds, priorities and potential biases. Tailor your security pitch to align with their concerns, ensuring engagement and strategic buy-in. The more relevant and digestible your message, the more likely it is to resonate.

Tailor the Message to the Moment

Context matters hugely in board communications. Just as different board members require different messaging, different scenarios demand different framing. Security reports should never be one-size-fits-all. Let’s look at how to handle a few common boardroom scenarios:

How to Communicate in Key Scenarios

Asking for a Budget Increase?

• Emphasize ROI, cost savings, and competitive advantage.
• Don’t say: “We need $1M for new security testing tools.”
• Do say: “A $1M investment will reduce the risk of API-related data leaks, which cost enterprises an average of $4.35M per breach.”

Providing a Security Overview?

• Focus on business impact, industry trends, and regulatory risk.
• Don’t say: “Our new framework follows OWASP ASVS and ISO 27001 controls.”
• Do say: “By integrating security into the development pipeline, we ensure compliance with relevant regulatory demands and reduce exploitable vulnerabilities by 50%, keeping our applications secure and compliant.”

Promoting a Strategic Initiative?

• Focus on business impact, industry trends, and regulatory risk.
• Don’t say: “Our new framework follows OWASP ASVS and ISO 27001 controls.”
• Do say: “By integrating security into the development pipeline, we ensure compliance with relevant regulatory demands and reduce exploitable vulnerabilities by 50%, keeping our applications secure and compliant.”

Discussing Emerging Threats?

• Emphasize peer comparison, financial impact, and actionable intelligence.
• Don’t say: “The threat landscape is evolving with new attack vectors targeting our industry.”
• Do say: “Three of our competitors faced supply chain attacks last quarter with average recovery costs of $2.8M. Here’s our exposure to similar threats and what we’re doing to protect ourselves.”

Responding to an Incident?

Be direct. Explain what happened, the immediate impact, and how the company is mitigating risk.

• Don’t say:“We detected anomalous activity in our production environment.”
• Do say:“An insecure third-party dependency in our e-commerce application allowed unauthorized access. We patched it within six hours, preventing data theft. The implications are…”

Actionable Tip: Develop a playbook for different boardroom scenarios. Practice framing security insights in business terms. For reference on structuring effective response playbooks, you can review the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks

Use Financial and Business Terms Instead of Security Jargon

In a recent Checkmarx survey of over 200 CISOs, only 25% report beyond vulnerability metrics to address application and business risks. This critical communication gap leaves board members unable to connect security investments with business outcomes.

To bridge the communication gap with your board, focus on quantifying security in business terms wherever possible. Here are some examples of terminology and business metrics you can consider using:

• Industry Benchmarks: “Similar breaches in our industry cost an average of $4.2M”
• Comparative Analysis: “This control addresses the vulnerability that led to our competitor’s breach last quarter”
• Operational Impact: “This security feature reduces friction in our customer verification process by 30%”
• Compliance Requirements: “Implementing this control satisfies requirements for the financial sector RFPs we’re pursuing”
• Relative Risk Reduction: “This initiative addresses our highest-priority risk area, which threatens 15% of our revenue”
• Customer Expectations: “Our top five enterprise customers now require this certification in their contracts”
• Efficiency Metrics: “This automation reduces manual security reviews, freeing 20% of our security team’s capacity”
• Project De-risking: “This approach reduces security-related delays in our product roadmap by an estimated 30%”

Actionable Tip: Build cross-functional partnerships to strengthen your business case. Work with finance to estimate potential breach costs, sales to identify security-driven opportunities, legal to quantify compliance risks, and product teams to measure security’s impact on development velocity. These partnerships not only improve your board communications but also integrate security more deeply into business operations.

How APMA Can Help CISOs Prepare

A strong security strategy begins with understanding where your organization stands today and identifying areas for improvement. That’s where the Application Security Program Methodology & Assessment (APMA) comes in.

What is APMA?

APMA is a structured framework developed by Checkmarx to help CISOs assess, benchmark, and enhance their application security maturity. It provides actionable steps to align security initiatives with business goals and industry best practices.

3 Ways APMA Supports Board-Level Communication

1. Clarity in Risk Reporting – APMA helps CISOs present clear, structured security insights to the board, ensuring risks and priorities are framed in business terms.
2. Strategic Roadmap for Improvement – With APMA, CISOs can outline a clear maturity journey that shows tangible progress over time. This is a useful framework to present to the board.
3. Data-Driven Decision Making – The assessment generates measurable insights, enabling CISOs to support conversations and reporting with strong, data-backed arguments.

Actionable Tip: Take the complimentary APMA digital assessment to evaluate your current security maturity and identify areas for improvement. Start your assessment now.

Final Thoughts: Cybersecurity Needs a Bilingual CISO

The most effective security leaders aren’t just technical experts—they’re business translators who can move fluidly between security concepts and board priorities.

The boardroom is where funding decisions are made, strategic initiatives are prioritized, and risk tolerance is set. If CISOs aren’t part of those conversations, both their organizations and their careers remain vulnerable.

Speaking ‘Boardish’ fluently isn’t just about getting budget approval for the next security tool. It’s about elevating security to a strategic business function with a seat at the decision-making table.

In the boardroom, the clarity of your communication is just as important as the quality of your security program. Even the most sophisticated security strategy will hit a brick wall if you can’t get the board to understand, value, and get behind it.

Your challenge is clear: Learn to speak the board’s language, so your message doesn’t get lost in translation.