Most CISOs walk into the board room with a deck full of dashboards. Heat maps, vulnerability counts, phishing click rates, MTTR trends. Then they walk out wondering why the board is still asking the same question they asked last quarter: "So - are we secure?"
The answer is not better dashboards. It is a different conversation.
Why the Dashboard Doesn't Convince the CEO
Boards are not asking for proof of activity. They are asking for a position. Activity metrics ("we patched 12,000 vulnerabilities this quarter") tell them you are busy. They do not tell them whether the company is more or less likely to suffer a material incident than it was last quarter. That is the question the board is actually asking, and it is the one most security reports avoid.
Part of the avoidance is structural. Security teams are measured internally on activity, because activity is what they control. Boards are measured externally on outcomes - share price, regulatory action, brand trust. The translation between the two is the CISO's job, and most CISOs were never trained to do it. They were trained to run a SOC.
The result is the meeting everyone has sat through: the CISO walks the board through fifteen slides of color-coded controls, the board nods politely, and the CEO leans over to the CFO afterward and asks, "Did any of that mean we are at less risk than before?" Nobody can answer.
From Metrics to Direction: "Winning" or "Losing"
The shift that changes the conversation is moving from snapshots to direction. Boards do not need to know the absolute number of vulnerabilities open today. They need to know whether the trend is moving in the right direction, and whether the CISO has a defensible point of view about why.
Direction means committing. It means saying, in plain language: "On ransomware exposure, we are winning - our recovery time has dropped from 14 days to under 48 hours, and our backups are now tested monthly. On third-party risk, we are losing - the number of vendors with access to customer data has grown 40% in 18 months, and we have not kept pace with vendor security reviews. Here is what it would take to reverse it."
That kind of statement does three things at once. It tells the board you have a position. It tells them where to focus their attention. And it tells them what action will move the needle - which is the only reason they are in the room.
Boards sit on multiple companies. They have seen every variant of the security dashboard. What they almost never see is a CISO who can stand behind a directional trend line and say "we are winning" or "we are losing, and here is what it takes to reverse it." That CISO gets called first when the next crisis hits.
The One-Page Risk Framework
After two decades of sitting in board rooms, I have settled on one format that works. A single page, four quadrants, directional trends. Anything more becomes noise; anything less stays vague.
Named in business terms, not technical ones. Not "unpatched CVEs" but "customer data exposure via third-party vendor."
One arrow per risk: ↑ worsening, → stable, ↓ improving. The arrow is the headline.
3-5 items. Each with an owner, a deadline, and an expected outcome. Shows movement and ownership.
What you need from the board this quarter: a budget line, a mandate, or a specific decision. Boards exist to decide.
Four rules make this format work:
1. One page. No appendix slides. If it does not fit, it is not important enough for the board. Detail belongs in the audit committee, not the full board.
2. Colors mean nothing unless you defined them. Red/yellow/green without a scale is astrology. Either tie each color to a measurable threshold ("Red = mean time to patch critical CVEs exceeds 30 days") or drop the color entirely. The 2024 UnitedHealth Change Healthcare breach hearings exposed how often "green" dashboards hid risks nobody had a definition for.
3. Trends beat snapshots. A risk that is worsening slowly is more interesting to a board than one that is high-but-stable. Boards manage velocity, not altitude. That is why Quadrant 2 carries the weight - the arrow is the headline.
4. The Ask is the point. If you leave a board meeting without a decision, you wasted everyone's time, including your own. Every quarter, bring one concrete ask: approval for a budget line, a mandate to enforce MFA on a holdout subsidiary, a decision on cyber insurance retention. Boards exist to decide. Give them something to decide.
This format is deliberately boring. That is the feature. By the third quarter, the board stops asking "what am I looking at?" and starts asking "what changed, and what are you doing about it?" That is the conversation you want. That is also the conversation that, over time, earns the CISO a seat at the decisions that matter - not just the incident post-mortems.
Common Mistakes and How to Avoid Them
Even CISOs who get the framework right still lose board rooms in avoidable ways. Four patterns come up again and again.
Mistake 1: Leading with activity instead of outcomes. "We blocked 2.3 million phishing attempts this quarter" is an activity metric. It tells the board nothing about risk. The board wants to know whether we lost data, whether we stopped fraud, whether we reduced mean time to detect. Translate every number into business consequence. If you cannot, the number does not belong on the slide.
Mistake 2: Burying bad news. Every CISO is tempted to soften a worsening trend, especially when the cause is partly outside their control - a new subsidiary, a legacy system they inherited, a vendor incident. Resist. Boards punish surprises, not problems. A trend arrow pointing up, acknowledged in Q1, buys you credibility and budget. The same trend discovered during a Q3 breach destroys both. The post-mortems of SolarWinds, MGM, and Change Healthcare all contain a version of the same sentence: the board was told things were fine.
Mistake 3: Showing up without an ask. A status report is not a board conversation. If every quarter you present information without requesting a decision, you become a reporting function, not a leadership one. The board stops listening because nothing requires their attention. Every quarter, bring one concrete ask - budget, mandate, or decision - even if small. It changes the dynamic from "update us" to "advise us."
Mistake 4: Going defensive under questioning. When a board member asks a skeptical question - "Are we really protected against ransomware?" - the instinct is to defend the program. Don't. The question is the opening. "That is the right question. Here is what we know, here is what we do not know yet, and here is what we are doing to close the gap" lands better than any walkthrough of controls. Boards trust CISOs who name uncertainty; they mistrust ones who project total confidence.
Closing
The CISOs who earn trust at the board level are not the ones with the best dashboards. They are the ones who translate complexity into direction, who show up with a position, and who treat the board as a partner in decisions rather than an audience for reports.
That translation is the job. Everything else - the tooling, the frameworks, the metrics - exists in service of it. Master it, and you stop being the person called in after the breach. You become the person the board calls first.
Written by
Asaf Levy
Cybersecurity expert with 30+ years of experience. Former CISO of El Al, CTO, Co-Founder of Cybecs and RedRok. Advises boards and executive teams on translating security into business decisions.