Contact

Send a message

Contact Us

Contact details

Social media

Twitter Follow Us
LinkedIn Connect with Risk Crew
Youtube Watch our videos

Why some CISOs get the board behind them, and others don’t

Published: 15th May 2026

< Back to Media

Why some CISOs get the board behind them, and others don't

One of the recurring themes from our recent event at the Shard was the growing gap between security programmes that are technically strong and those that successfully secure lasting board support. 

Interestingly, the difference rarely comes down to technical capability alone. More often, it comes down to how effectively cyber risk is translated into business language, commercial exposure and operational impact. As cyber security becomes increasingly tied to operational resilience, regulatory scrutiny and financial risk, the ability to bridge that gap is becoming one of the defining leadership skills for modern CISOs. 

At our event at the Shard last week, the conversation kept circling back to the same question: why do some CISOs get the board engagement and funding they need, while others, often with equally strong technical programmes, struggle to get traction? 

The pattern, as far as I can see it, comes down to translation. 

Whose risk is it?

The CISOs who succeed at board level have stopped framing security as their problem. They present risk as something the business is exposed to, not something they personally need help with. 

The shift is subtle but important. “Here’s what I’m worried about, please fund me” keeps the risk sitting on the CISO’s shoulders and turns the conversation into a budget request from a worried technologist. “Here’s what the business is exposed to, here are the options for managing that exposure, here’s what I recommend” puts the risk where it actually lives: with the board. They are then making a business decision about their own exposure, not adjudicating a request. 

From heatmap to business case

The second shift is in how the risk itself is expressed. A heatmap is a photograph, not an argument. The CISOs who get funded are the ones who can attach a business cost to the risk: annualised loss expectancy, the cost of a credible breach scenario modelled against the company’s actual revenue and operating profile, the cost of regulatory exposure or contract loss. 

Once the risk has a number, the proposed control has an ROI: cost of control versus reduction in expected loss. The CFO can then engage with it on their own terms, which is what unlocks the funding conversation. Without that, security spend is judged on faith, and faith runs out. 

This is harder than it sounds, and it’s where most security programmes are weakest. Translating technical risk into business cost requires data many CISOs don’t have to hand: loss histories, scenario modelling, exposure quantification. It also requires a degree of commercial fluency that isn’t taught in the security career path and doesn’t come naturally to everyone who has grown up in technical roles. The CISOs who do it well have usually either invested in the capability deliberately or partnered with someone in finance or risk who can model it with them. It is a skill that can be built, but it has to be built on purpose. 

The foundation that makes the conversation credible

None of this works without a credible foundation underneath. Three things in particular. 

Frameworks the board recognises. NIST CSF or ISO 27001 give the board a defensible reference point and keep the technical detail out of the room. The framework is the scaffolding, not the substance. 

Evidence the controls actually work. Self-attestation has run its course. Boards increasingly want to see independent assurance: pen test results, assumed breach exercises, third-party audits. The shift is from “we have a control” to “we have evidence the control works.” 

Direction of travel. Boards respond to trajectory, not snapshots. Progress against a stated risk appetite, demonstrated over time, builds the confidence that the programme is going somewhere. A single heatmap tells you nothing about whether the situation is improving or deteriorating. 

The slow loss of confidence

There’s a failure mode worth naming too. The CISO who gets funded once and loses the room over time. Usually because they escalated everything to existential and nothing to manageable or asked for the next round of budget without showing what the last round delivered. Calibration matters as much as the opening pitch. Boards remember. 

The skill that separates them

The successful CISO, as far as I can tell, is not necessarily the best security technologist. They’re the best translator: of risk into business cost, of controls into evidence, of spend into return. That’s the skill that separates the ones who get the funding from the ones who don’t. 

As cyber security becomes increasingly tied to operational resilience, regulatory exposure and board accountability, the ability to translate technical risk into business context is becoming one of the defining leadership skills for modern CISOs. 

The organisations making the greatest progress are often not the ones with the most sophisticated tooling. They are the ones where security leaders have learned how to communicate risk in a way the rest of the business can meaningfully engage with.