Executive brief on how PCI DSS 4.0 affects offensive security practices, penetration testing, and segmentation testing. Watch Now

Speaking Board Language: Translating Cybersecurity for Executive Leadership

McKinsey cybersecurity leaders share essential strategies for translating complex security challenges into business-focused board discussions. Learn how to effectively communicate risk, establish meaningful metrics, and build productive partnerships with your organization's leadership.

McKinsey cybersecurity leaders reveal practical strategies for communicating complex security challenges in business terms that resonate with boards and executive stakeholders, helping security leaders gain the support and resources they need.

Session Summary

In this strategic conversation from RSA Conference 2024, McKinsey & Company cybersecurity experts Daniel Wallance and Justin Greis join Bishop Fox's Tom Eston to address one of the most challenging aspects of security leadership: effectively communicating with boards of directors. The discussion reveals that successful board engagement depends less on technical expertise than on the ability to translate security concepts into business impact narratives that resonate with leadership's primary concerns.

The experts emphasize that boards are often overwhelmed by technical jargon and struggle to interpret security data in real time, making it crucial to present information in business-focused frameworks. They recommend several practical approaches: framing security discussions around potential impacts to specific business lines and products; developing consistent, trackable metrics that allow boards to monitor progress over time; and creating experiential learning opportunities like bringing board members into security operations centers or walking them through attack scenarios. Throughout the conversation, both speakers stress that the most effective security leaders view their relationship with the board as a partnership rather than an adversarial dynamic. By developing ongoing dialogue, using inclusive language, and helping board members understand security on a personal level, CISOs can build the trust and understanding necessary for meaningful security governance.

Key Takeaways

  • Translate technical issues into business impact - Board members don't need to understand technical details, but they must grasp how security risks affect business operations, customer relationships, and financial outcomes.
  • Develop narrative-driven communication - Effective board presentations tell a clear story about what you're protecting, your capabilities, and how security investments connect to business priorities.
  • Create consistent, trackable metrics - Boards need a stable set of key performance indicators they can monitor over time, supplemented by rotating topics that address emerging concerns.
  • Establish multiple touchpoints - Board relationships shouldn't rely solely on quarterly presentations; develop ongoing dialogue through committee relationships and informal communications.
  • Make security tangible through demonstration - Bring board members into security operations centers, walk them through attack scenarios, or help them understand security on a personal level to build deeper engagement.
  • Foster partnership through inclusive language - Use "we" and "our" rather than "you" and "your" to create shared ownership of security outcomes and reduce adversarial dynamics.

Abbreviated Transcript

Tom Eston: Welcome back to the Bishop Fox live stream from the RSA conference in San Francisco. Joining me for this panel discussion is Daniel Wallace, a senior expert at McKinsey and Company, and Justin Greis, the Partner and North America Cybersecurity Practice Lead at McKinsey. Welcome to the live stream.

Daniel Wallance: Great to be here.

Tom Eston: We're going to be talking about the board-level view of cybersecurity risk and resilience. Daniel, what are the top strategic priorities you would recommend to executives to ensure alignment with the board?

Daniel Wallance: It's important to frame the conversation in terms of business risk. What does this mean for the organization? What are the impacts on critical assets? Second, bring the board into tabletop exercises to think through incident response and decision-making. Finally, address how to truly know our capabilities are effective and incorporate that into discussions with the board.

Tom Eston: What do you think about that, Justin?

Justin Greis: I agree. One of the biggest mistakes is expecting the board to interpret technical details live. Convey risk in terms of business impact. Discuss business processes at risk and potential consequences. Always frame the conversation in terms of products and business lines, which the board understands.

Tom Eston: Leaders need to communicate urgency to the board. What advice can you give on this?

Daniel Wallance: Frame it as a narrative. Communicate what you're protecting, your capabilities, and critical assets. Make it part of ongoing dialogue and education sessions, sharing the latest threats and controls deployed.

Justin Greis: Boards understand urgency, but everything in cyber seems urgent. Stratify tasks and convey urgency in an understandable order. Show, don't tell. Walk them through an attack's anatomy to illustrate impact.

Tom Eston: How can someone address complex security concerns in terms of risk to the board?

Daniel Wallance: Keep it simple. Many boards want to learn. Engage in dialogues about the latest cybersecurity threats and technologies to defend against them.

Justin Greis: Simplify the message. Use consistent metrics the board can understand over time. Introduce rotating topics but keep core KPIs and KRIs consistent.

Tom Eston: How should one handle feedback from the board?

Daniel Wallance: View it as a partnership. Engage in discussions about risk tolerances, thresholds, and prioritizations. Use this insight to inform organizational capabilities.

Justin Greis: Consistent feedback is key. There should be multiple touchpoints leading up to board meetings. Develop a strong relationship with the audit and risk committee chair to shape the message together. It's too complex a topic to be adversarial.

Tom Eston: How can the board foster a good cybersecurity culture in an organization?

Daniel Wallance: Celebrate cybersecurity achievements. Emphasize that advancing capabilities add value to the organization. Make it a focus rather than just preventing bad outcomes.

Justin Greis: Use inclusive language like "we" and "our" to show unity. Ask good questions, read materials, educate themselves, and build relationships with the CISO. Regular engagement is crucial for fostering a supportive culture.

Tom Eston: Any tips for effective communication with the board?

Daniel Wallance: Bringing board members into the SOC to see day-to-day operations and responses to attacks can be impactful.

Justin Greis: Ask the CISOs what they need to be successful. Ensure transparency and direct communication. Establish personal connections by helping board members with their own security, which can build trust and understanding.

Tom Eston: Where can our audience learn more about you and McKinsey?

Daniel Wallance: Our website has many resources, including articles on cybersecurity and the board of directors.

Justin Greis: McKinsey.com has a cybersecurity section with great thought leadership. You can also reach out to us on LinkedIn or through email.

Tom Eston: Thank you both for joining the live stream. We'll be back with more from the Bishop Fox livestream at the RSA conference in San Francisco. Stay tuned.

Tom Eston

About the speaker, Tom Eston

VP of Consulting and Cosmos at Bishop Fox

Tom Eston is the VP of Consulting and Cosmos at Bishop Fox. Tom's work over his 15 years in cybersecurity has focused on application, network, and red team penetration testing as well as security and privacy advocacy. He has led multiple projects in the cybersecurity community, improved industry standard testing methodologies and is an experienced manager and leader. He is also the founder and co-host of the podcast The Shared Security Show; and a frequent speaker at user groups and international cybersecurity conferences including Black Hat, DEF CON, DerbyCon, SANS, InfoSec World, OWASP AppSec, and ShmooCon.
More by Tom

Extend Your Knowledge

Check out these related resources.

Bishop Fox Livestream RSAC 2024 Nate Lee
Virtual Session

The Human Element: Building Trust and Influence in Security Leadership

Veteran security leader Nate Lee reveals how effective cybersecurity depends as much on relationship-building as technical expertise. Learn practical strategies for gaining organizational trust, communicating effectively, and driving security initiatives through persuasion rather than mandate.

Learn More
Bishop Fox Livestream RSAC 2024 Application Security
Virtual Session

Beyond Whack-a-Mole: Modern AppSec Strategies for High-Growth Companies

Security leaders from Reddit, Meta, and SeatGeek share battle-tested approaches for scaling application security in fast-moving environments. Learn how these organizations are shifting from vulnerability hunting to building secure-by-default ecosystems that empower rather than hinder development teams.
Learn More
Headshots of David Etue and Nick Selby
Virtual Session

Intelligence That Matters: Building Cyber Threat Programs That Drive Business Value

Veteran intelligence leaders David Etue and Nick Selby reveal what separates effective cyber threat intelligence from mere data collection. Learn how to develop intelligence capabilities that communicate meaningful risk to executives and deliver actionable insights to technical teams.
Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.