It’s time to stop blaming CISOs for poor communication—and start redesigning boardroom dynamics.
You don’t have to search far online or on social media to find articles discussing the difficulties CISOs face when engaging with the Board. Most of them repeat the same familiar refrain: CISOs don’t speak the language of the business and need to learn it. According to this view, better communication hinges on CISOs adapting their style to meet executive expectations, explaining their work in commercial terms, and making their teams’ value clear.
But to me, this argument is a legacy of two decades of failed bottom-up thinking in cybersecurity. It’s time to rethink the model. If the goal is truly effective board-level engagement, new dynamics need to be introduced—ones that shift responsibility onto both parties, not just the CISO.
First, let’s recognize that most Boards no longer need convincing that cybersecurity matters. That conversation is over. What they do need is a clear understanding of the specific and evolving threats their organizations face—and how those threats intersect with operational realities and strategic goals.
This requires more than a token appearance from the CISO once or twice a year. That may tick a compliance box, but it won’t build the trust or familiarity required for meaningful dialogue.
CISOs are, by and large, technologists by background. There’s nothing wrong with that; in fact, it reflects the origins and evolution of the CISO role since it first emerged in the 1990s. While many CISOs have grown into broader corporate responsibilities, their strengths often remain in the technical domain, not in navigating the political and strategic complexities of the boardroom.
Boardrooms, meanwhile, are inherently political environments, full of competing priorities, shifting agendas, and complex personalities. Without understanding these dynamics—or the broader context of what’s happening at the top of the business—even the most well-prepared CISO will struggle to connect their message to what matters most at that level.
External experts or non-executive directors may offer general knowledge and risk context, but only the CISO can provide a grounded view of the firm’s actual security posture. The catch? They can only do this effectively if the Board gives them the context they need to tailor that input to the moment.
This goes far beyond the oft-repeated call to “align cyber strategy with business strategy.” What’s needed is an ongoing alignment of execution—across the strategic lifecycle of the business. And that lifecycle is constantly shifting due to mergers, acquisitions, leadership changes, market dynamics, technological evolution, and global disruptions.
For Board-level conversations about cybersecurity to be truly valuable, they need to reflect this complexity. Cybersecurity is, by nature, a cross-functional and evolving challenge. That’s why I believe Boards would benefit from embedding a broader role—one that spans all aspects of business protection and compliance—at the executive level.
A “Chief Security Officer” (CSO), positioned at the top of the organization, could be pivotal in reshaping corporate engagement around cybersecurity. This role would relieve CISOs of reporting burdens for which they are often ill-equipped, allowing them to focus on the technical and operational aspects where they add the most value.
Meanwhile, having a peer at the Board table—a CSO who understands both security and corporate dynamics—would help foster better communication and build the trust needed for productive dialogue.
If companies are serious about addressing the CISO–Board disconnect, it’s time to stop asking CISOs to perform impossible tasks. Instead, they should rewire the conversation—and the structure—so both sides can meet halfway.
JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.
He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.
Read more on our Security Transformation Leadership publication here on Medium