Cybersecurity is, as it should be in this era of AI-driven cyberattacks, a regular item on enterprise board agendas. However, the ways in which CISOs and boards interact, and the depth of those discussions, remain brief and superficial.
According to a new report from IANS, Artico Search, and The CAP Group, CISO-board interactions remain short (typically 30 minutes per quarter), lack depth around threats, particularly those posed by AI and other emerging technologies, and are more about “listening” than active participation.
“The industry is still maturing, and ‘good’ is a moving target,” said Nick Kakolowski, senior director for CISO research at IANS. “CISOs and boards are still developing a shared vocabulary to contextualize and understand the long-term business implications of cyber issues.”
CISOs not getting ‘extended airtime’ in meetings
According to the study, just 30% of boards describe their relationship with CISOs as “strong and collaborative,” while 35% call it “adequate and functional,” and 24% say it needs improvement.
This indicates that deep trust and partnership remain “uneven and far from universal,” the report notes.
The majority of the 650-plus CISOs surveyed (95%) said they regularly report to their board, at least on a quarterly basis. Of those, 60% engage with the full board, and 35% with at least one board committee. However, three-quarters of security leaders said those discussions typically only last 30 minutes.
“Updates are often tightly time-boxed and routed through committees rather than directed at the full board,” the report notes.
It quotes one anonymous CISO at a publicly-listed financial services firm, who said, “There’s interest in the reports I present, but almost no follow‑through. The board treats cybersecurity as something to be briefed on — not something to experience or probe.”
On the other hand, the 25% of CISOs who did have “extended airtime” of more than 30 minutes said cybersecurity was treated as a more strategic topic rather than simply a check-box or status discussion. In these cases, boards are able to engage in “trade-offs, risk tolerance, and decision-making,” rather than just metrics, according to the report.
Boards are “consistently informed” these days, but many still struggle to translate cyber reporting into strategic decision-making, said Kakolowski. Directors are seeking clearer insight into what’s coming next, particularly as AI reshapes the threat landscape and enterprise risk.
As a result, CISOs must strengthen their relationships within, and knowledge of, the business, to elevate the right issues to the board and create opportunities for “meaningful risk conversations,” he said, even if those are happening behind the scenes or at the sub-committee level.
IANS faculty member Steve Martano agreed that the best security presentations are “holistic discussions” on cyber risk and business risk. These are driven by CISOs who form a “concise, data‑driven narrative” and foster discussion and brainstorming around risk tolerance, risk strategy, cyber and tech risk in the context of ROI.
Boards want more forward-looking insights
The report also suggests that board-CISO communication doesn’t dive as deeply into details as it should in these days of ever more sophisticated, AI-driven cyberattacks.
The majority of board directors (82%) say their security leaders’ reporting on regulatory trends was satisfactory or excellent, and that they had strong visibility into program initiatives, current risks, and resourcing needs. However, about half said security leaders’ reporting in other areas, notably threats from AI and other emerging tools, needed improvement.
This seems to signal that boards are seeking to move beyond high-level conversations to more forward-looking insights. AI is now a primary driver of cyber risk, enabling more sophisticated attacks; at the same time, it is introducing new areas of loss as AI models become high‑value assets that can be exploited or damaged, said Brian Walker, CEO of The CAP Group.
“AI and cybersecurity are inextricably linked, and boards must understand the business risks of both,” he said.
Similarly, boards regularly interact with dashboards and frameworks, but fewer than half of them (41%) participate in tabletop exercises, crisis simulation, incident escalation protocols, or other education and training.
“In other words,” the report notes, “boards are well informed on paper, but often stop short of experiencing cyber risk, suggesting oversight that is more passive than active.” This suggests that CISOs are not helping boards get ahead of the “fast-moving risk dynamics” of today’s threatscape.
Ultimately, the report emphasizes, this reinforces a familiar pattern: Updates effectively explain the current state, but are less effective at preparing directors for what comes next.
Board involvement is critical for cybersecurity
Getting board buy-in is critical, as data and digital capabilities are integral components of business strategy. Risks created by emerging technologies and methods of using data are, as a result, “becoming more impactful on an organization’s health,” said Kakolowski.
In the strongest security-first organizations, CISOs are “deeply aware” of the risks that are most important to the business, and are able to contextualize cyber issues into those risks, he said. “They aren’t getting the board up to speed on cyber issues; they are shaping the cyber agenda around the risks that matter to the board and, implicitly, the broader organization.”
The takeaway for CISOs: Use your security knowledge to determine the organization’s risk tolerance and manage risk accordingly. Simply put, building a strong relationship with the board requires a mindset shift “away from being a security leader trying to prevent breaches, to being a business leader partnering with the executive team,” said Kakolowski.