CISOs must communicate with the Board in plain language!

CSOonline.com reported that “As CISOs gain stature and responsibility, the top security role only gets more demanding. In addition to having to continuously evaluate their security postures to determine what adjustments to make to adequately protect their organizations, today’s CISOs must align with the business in ways that enforce key business objectives — and bring questions and tradeoffs around risk management squarely in the spotlight.”  The June 23, 2025 article entitled “10 tough cybersecurity questions every CISO must answer” (https://www.csoonline.com/article/4009212/10-tough-cybersecurity-questions-every-ciso-must-answer.html) included these about “#3. What are the right metrics to present to the board?”:

CISOs need to demonstrate how they’re enabling the business, and that means identifying how to measure their work in ways that matter to the board, says Jeff Pollard, vice president and principal analyst with Forrester Research.

Data around the number of systems patched, mean time to response, and mean time to remediation don’t give the board any reason to think security is helping drive the business forward, he says.

Instead of using those, CISOs need to find metrics that speak to security’s role in supporting business objectives as well as metrics that enable better executive and board decision-making, Pollard says.

Here are all 10 Cybersecurity questions:

1. Am I a business enabler or an impediment?

2. How can we achieve the right security balance for our company’s risk tolerance?

3. What are the right metrics to present to the board?

4. What does cybersecurity mean to the organization?

5. Am I effectively communicating technical risks?

6. Does my team feel empowered to challenge me?

7. What do our customers want us to do for security?

8. Where does all the organization’s data really reside?

9. How will AI impact my staffing?

10. What’s the next attack that could surprise me?

What do you think about these Cybersecurity questions?