Most board cyber updates fail on the first slide. The team leads with a heat map, a list of CVEs, or a tool count — and the directors quietly disengage, because none of it answers the only question they actually have: are we okay, and what do you need from us?
Translate risk into the board's language — money, time, and trade-offs. "A ransomware event would likely cost us X and several days of downtime; this investment halves that" lands. "We have 4,000 unpatched endpoints" does not — it's an input, not a decision. (For the cost-and-impact framing, point to CISA's #StopRansomware guidance.)
Lead with the recommendation, then the rationale. Directors are trained to act on a clear ask backed by a short why. Bury the recommendation under analysis and you've handed them the work of finding it — and most won't do it.
Finally, name the residual risk you're choosing to accept. Boards trust the leader who says "here's what we're not fixing yet, and why" far more than the one who implies everything is handled. Clarity, not comfort, is what earns the next budget.
Last updated May 20, 2025