Boards Ask the Right Cybersecurity Questions, But Accept the Wrong Answers

In 2023, global spending on cybersecurity products and services reached approximately $80 billion, with forecasts suggesting it will surpass $87 billion by the end of 2024, according to Statista. Despite this significant investment, the financial toll of cyber incidents is staggering. Cybercrime incidents are now estimated to cost the world economy more than $1 trillion a year, around 1 percent of global gross domestic product (GDP), with some estimates showing incidents topping $10 trillion by 2025. If these estimates come true, cybercrime would be the world’s third-largest economy relative to GDP.

There has never been more money spent on cybersecurity, and, even with those vast and continued investments, the losses resulting from cyber incidents have never been worse. Simply put, it is time to do something different—or accept unacceptable business losses. 

Cyber risk is a complex challenge and there is no single, simple solution, but it should start at the top. There has been significant cyberliteracy improvement among corporate directors. They largely recognize that cybersecurity is a business issue, not just a technical one. They are becoming increasingly fluent in asking foundational questions about cyber resilience, risk exposure, and preparedness. The questions are becoming sharper, more relevant, and more aligned with emerging technologies and the realities of modern risk management.

But there’s a disconnect: board members may ask the right questions, but they often accept incomplete or deflective answers. The result is that companies implicitly accept cyber risk they do not fully understand, with these decisions translating into unprecedented business losses.

Many chief information security officers (CISOs) still fall into the trap of offering subjective cyber maturity scores or drowning the board in technical jargon in their responses to the board’s questions. This approach inadvertently clouds the true nature of the risk. The board might leave the discussion feeling reassured by an “above average” maturity score, without realizing that the organization’s risk posture is, in fact, precariously exposed. 

This dynamic needs to change, and directors should evolve their expectations. They should demand more complete answers, or answers that contextualize cyber risk in business terms, present potential financial impacts, and include the kinds of scenarios that keep cybersecurity executives up at night. Directors need to pressure test answers with the same vigor as other enterprise risks.

Asking the right questions is only half the job; insisting on meaningful, business-relevant answers is where real progress is made. On this front, CISOs have a challenging task. Technical details are their world but translating them into business language is an art that should be mastered. It’s not enough to say, “We’re compliant.” They should recognize that their role isn't just to report on how well the firewalls are performing or how recently an audit was completed.

The CISO’s true value lies in connecting cybersecurity measures to the broader business context, providing a clear, unvarnished perspective on how cyber risks translate into business exposure. They should articulate what compliance means in terms of risk reduction and where gaps might leave the company exposed. When a board member asks, “How exposed are we?” the answer should not be a litany of controls in place or a ranking on a maturity model. It should be a business-focused narrative on what is protected and what is still left to be addressed. It should also focus on what a breach could cost the company in financial terms and how it would impact the company’s customers, partners, brand, and operations. It’s about shifting from reporting on cybersecurity activities to clearly framing the consequences of cyber risk to the business.

Ultimately, the boardroom conversation about cyber risk needs to evolve beyond comfort metrics and maturity scores. It needs to become about the real, tangible business impact of potential cyber incidents and the strategic decisions required to manage those risks effectively. Only then can boards and CISOs align on what risks the company is truly accepting and whether those risks are acceptable. The crucial cybersecurity solution is empowering leaders with actionable business insights and allowing leaders to employ their risk management skills. Then and only then will companies be able to rein in losses from cyber incidents. 

Kevin Richards is the president of X-Analytics and a cybersecurity risk subject matter expert.  He served as the chair and international president for the Information System Security Association (ISSA) international board, is an ISSA Distinguished Fellow, a Ponemon Institute Distinguished Fellow, and is inducted into the ISSA Hall of Fame for his contributions to the information security community and the cybersecurity profession.