COMMENTARY: Here's what I've learned after decades in this business: if someone walks into a boardroom pitching security, they’ve already lost the room.Boards don't fund abstract concepts. They fund outcomes they can measure, defend to shareholders, and explain when events turn sideways.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The conversation isn't about the team’s latest SIEM deployment or whether they have implemented SASE. It's about whether the business can survive what's coming next.Because something will always come next.I've sat through too many presentations where talented security leaders bury their ask under acronyms and architecture diagrams. Meanwhile, the CFO checks his email, and the CEO wonders when lunch will arrive.Here’s some ways to get right to the point:What are our five most critical assets, where are they, who owns them and who has access to them?Which scenarios could actually stop revenue or threaten safety?How dependent are we on specific vendors, and how fast could we switch if one failed?If we were breached tomorrow, what would our statement say—and would it be true?These aren't comfortable conversations to have, but we can’t afford not to have them. They will transform board members from passive observers into active partners in managing enterprise risk.Because that's what we’re really talking about: enterprise risk management that happens to involve technology. When security leaders frame it that way, they’ll get the support, resources, and strategic engagement they’ll need in a crisis.Michelle Drolet, founder and CEO of TowerwallSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Strip it down: A ransomware response plan isn't a security initiative—it's insurance for the company’s cash flow and brand value. It's the difference between a three-day disruption and a three-week nightmare that makes the evening news. Tell it to them like this: Our $2.5 million investment will address the organization’s three biggest revenue-disruption scenarios. My team’s modeling shows it reduces potential losses by $12 million, and cuts expected recovery time by a day and a half. That's a business case. That's a conversation about return on investment, not a wish list of tools. Cyberattacks matter to boards because they halt operations, damage reputations, and destroy customer confidence. The technology is just the means to an end.
- Be realistic about what the security team can control: Don’t promise that the security team can eliminate all cyber risk. That’s like promising to stop hurricanes. Phishing will always exist. Vulnerabilities will always emerge. Threat actors will always evolve. Insider threats happen. A CISOs job isn't to create a fortress—it's to build resilience into the organization so that when something breaks through, the team’s ready. I tell boards plainly that while we can't prevent every attack, we can choose not to be an easy target. We can decide which risks to reduce through investment, which risks to transfer through insurance, and which we're willing to accept because the cost of mitigation outweighs the likelihood and impact of a breach. That honest conversation about risk appetite matters more than any vendor pitch ever will.
- Show some realistic data points: Boards want assurance, not adjectives. Most boards simply want to know the following: If the company gets breached, can we look our customers, regulators, and the public in the eye and honestly say we did what any reasonable company should have done? Build a narrative around evidence with a simplified risk register. Show them the independent audits. Walk them through recent tabletop results. Demonstrate that the company’s incident response capability was tested and measured. This shifts the dynamic from "trust me, I'm an expert" to "here's the proof."
- Connect security to business performance: A strong security team does more than find problems. When we catch vulnerabilities early, we’re saving time and money on mitigation costs and delays. When we reduce third-party risk, we're protecting revenue streams and avoiding supply chain disruptions. The metrics that matter to boards are straightforward: When something goes wrong, how quickly do we detect it, contain it, and restore operations? Skip the vanity metrics. A dashboard with 40 green checkmarks tells them nothing. Three trend lines showing improving detection speed, declining exposure, and faster recovery times tell them everything.
- Turn compliance into momentum: SEC disclosure rules, HIPAA requirements, GLBA compliance, PCI-DSS standards, CMMC certifications—these aren't obstacles. They're leverage. Regulatory expectations create urgency and unlock budgets. But only if they are framed correctly. Don't position compliance as a burden or a checkbox exercise. Show how the same investments that satisfy regulatory requirements also reduce the probability of material incidents, lower audit costs, improve insurance terms, and strengthen your competitive position in regulated markets. When compliance becomes synonymous with risk reduction, it stops being a cost center and starts being strategic.
- Ask the hard questions: The worst time to figure out a crisis communication plan is during a crisis. The worst time to discover the company doesn’t know where its critical data lives is when the team tries to recover it after an incident. Make these questions routine:
