Skip to main content
Governance & Risk

Why your CISO is not reaching the board

Not because the CISO is doing it wrong, but because the operating system to translate risk into board language is missing.

Cybersecurity is one of the biggest concerns for many organisations, yet only 29% of CISOs consistently reach board level (Gartner 2025). This communication gap can expose the organisation to significant risk. The problem often lies in the language barrier: technical detail is not always translated effectively into the language the board understands. As a result, critical risks stay underexposed and important decisions are deferred. With 63% of boards reporting that they do not understand cybersecurity well (Gartner 2025), it is essential to bridge technical and board language.

What organisations get wrong

The communication gap

CISOs often operate in a technical world full of jargon and complex concepts. That language does not connect with the language of the board, which focuses on business and financial considerations. The communication gap means that important information can be lost or misunderstood. This can lead to a lack of action or the wrong priorities, leaving the organisation exposed to cyber threats.

Why risks stay invisible

The challenge lies in translating technical risks into a context the board can understand. Without a common language, risks stay invisible or are underestimated. This can lead to a shortage of budget or resources for essential cybersecurity controls. It is critical that CISOs learn to convert technical detail into implications that resonate with the board.

How it works instead

The impact of miscommunication

Miscommunication about cybersecurity can lead to poor decision-making and heightened exposure. The board may take decisions without full insight into the risks, which can result in inadequate security controls and a higher likelihood of cyberattacks.

The role of the CISO

CISOs need to act as bridge-builders between the technical and board worlds. By translating technical risks into insight, they can better inform the board and make the case for investment in cybersecurity.

The value of a common language

A common language for risk is essential to ensure effective communication between the CISO and the board. It lets you prioritise cybersecurity within the broader business strategy and secure the resources you need.

What it delivers

Communication to the board. Improved communication between CISOs and the board leads to better-informed decisions and more effective cybersecurity strategies.

Translation. By converting technical risks into insight, CISOs can make the importance of cybersecurity clearer and secure the resources they need.

Common language. A common language for risk makes it possible to prioritise cybersecurity and strengthens the overall business strategy.

Developing a common language for risk is critical to bridging the gap between CISOs and the board. Read more about our approach.

Governance & Risk

Dit vraagstuk vertalen naar jouw organisatie.