<p>Hundreds of security leaders from across industries recently packed a ballroom in National Harbor, Md., to tackle a challenge some consider even more daunting than nation-state hackers or AI-fueled cyber threats: presenting to a company’s board members so they understand and appreciate the formidable cybersecurity risks the organization faces.</p>
<p>”How many of you get excited when your annual car insurance premiums come up for renewal?” said Sam Olyaei, a managing vice president at Gartner, during the session at the Gartner Security and Risk Management Summit 2026. “That is how the board has viewed cybersecurity. It’s a regulatory thing. It’s a checklist. It’s an attestation.”</p>
<p>Ten years ago, according to Olyaei and Gartner analyst Tom Scholtz, only 25% of CISOs presented to their boards. A show of hands from session participants suggested nearly all do today. With <a href=”https://www.techtarget.com/searchsecurity/feature/10-biggest-data-breaches-in-history-and-how-to-prevent-them”>major data breaches</a> now often making headlines, the board’s view of those presentations is also changing. According to Gartner, 93% of board members agree that cyber-risk poses a threat to shareholder value, while 98% believe threats will grow within the next two years. The challenge, according to Olyaei and Sholtz, is that executive boards don’t share the same priorities as CISOs and rarely speak the same figurative language. </p>
<section class=”section main-article-chapter” data-menu-title=”Know your audience”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Know your audience</h2>
<p>CISOs in attendance shared that they struggle to translate the abundance of <a href=”https://www.techtarget.com/searchdatamanagement/feature/Why-data-driven-operations-must-measure-data-culture”>operational data</a> into narratives that resonate with their boards. That problem stems from a common disconnect, according to the Gartner analysts.</p>
<p>”Many of the reports that I review are actually structured around cybersecurity, not around the business,” Scholtz said. “When we talk about things in cybersecurity terms, we get very enthusiastic about it. My wife says, ‘Normal people don’t get excited about that stuff.'”</p>
<p>Know your audience and consider what they can easily digest, Olyaei added. Otherwise, important messages get lost in translation.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”Use financial reports as templates”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Use financial reports as templates</h2>
<blockquote class=”main-article-pullquote”>
<div class=”main-article-pullquote-inner”>
<figure>
Many of the reports that I review are actually structured around cybersecurity, not around the business.
</figure>
<figcaption>
<strong>Tom Scholtz</strong>Analyst, Gartner
</figcaption>
<i class=”icon” data-icon=”z”></i>
</div>
</blockquote>
<p>CISOs should try using monthly or quarterly financial reports as templates for <a href=”https://www.techtarget.com/searchsecurity/tip/CISOs-guide-to-creating-a-cybersecurity-board-report”>cybersecurity board reporting</a>, the Gartner analysts suggested. Finance is the lexicon of the board, and a cybersecurity report that follows that structure makes intuitive sense to corporate directors.</p>
<p>Olyaei and Scholtz presented the following example:</p>
<h3><br>Balance sheet: Cybersecurity program’s current state</h3>
<p>Analogous to a financial report’s balance sheet, this section provides a point-in-time snapshot with easily digestible heat maps and logarithmic scales showing top cyber-risks and potential financial impact.</p>
<p>Program status is presented as the <i>state of execution</i> against the approved strategy roadmap and the number of projects started, completed or overdue. The board sees the statuses of production-level agreements, such as patch cadence, incident containment time and incident remediation time. Through charts and graphics, this section also summarizes penetration tests, vulnerability assessments and audit findings.</p>
<h3>Income statement: Cybersecurity business performance</h3>
<p>Like a financial report’s income statement shows macro changes in business performance, this section does the same for cybersecurity. It communicates expected financial losses or improvements due to threats, automation, process changes, the regulatory environment or external trends. </p>
<h3>Cash flow statement: Cybersecurity resource allocation</h3>
<p>This section sh
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: