{"id":15913,"date":"2026-03-06T17:53:16","date_gmt":"2026-03-06T17:53:16","guid":{"rendered":"https:\/\/newestek.com\/?p=15913"},"modified":"2026-03-06T17:53:16","modified_gmt":"2026-03-06T17:53:16","slug":"only-30-minutes-per-quarter-on-cyber-risk-why-ciso-board-conversations-are-falling-short","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15913","title":{"rendered":"Only 30 minutes per quarter on cyber risk: Why CISO-board conversations are falling short"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Cybersecurity is, as it should be in this era of AI-driven cyberattacks<\/a>, a regular item on enterprise board agendas. However, the ways in which CISOs and boards interact, and the depth of those discussions, remain brief and superficial.<\/p>\n

According to a new report from IANS, Artico Search, and The CAP Group, CISO-board interactions remain short (typically 30 minutes per quarter), lack depth around threats, particularly those posed by AI and other emerging technologies, and are more about \u201clistening\u201d than active participation.<\/p>\n

\u201cThe industry is still maturing, and \u2018good\u2019 is a moving target,\u201d said Nick Kakolowski<\/a>, senior director for CISO research at IANS. \u201cCISOs and boards are still developing a shared vocabulary to contextualize and understand the long-term business implications of cyber issues.\u201d<\/p>\n

CISOs not getting \u2018extended airtime\u2019 in meetings<\/h2>\n

According to the study<\/a>, just 30% of boards describe their relationship with CISOs as \u201cstrong and collaborative,\u201d while 35% call it \u201cadequate and functional,\u201d and 24% say it needs improvement.<\/p>\n

This indicates that deep trust and partnership remain \u201cuneven and far from universal,\u201d the report notes.<\/p>\n

The majority of the 650-plus CISOs surveyed (95%) said they regularly report to their board, at least on a quarterly basis. Of those, 60% engage with the full board, and 35% with at least one board committee. However, three-quarters of security leaders said those discussions typically only last 30 minutes.<\/p>\n

\u201cUpdates are often tightly time-boxed and routed through committees rather than directed at the full board,\u201d the report notes.<\/p>\n

It quotes one anonymous CISO at a publicly-listed financial services firm, who said, \u201cThere\u2019s interest in the reports I present, but almost no follow\u2011through. The board treats cybersecurity as something to be briefed on \u2014 not something to experience or probe.\u201d<\/p>\n

On the other hand, the 25% of CISOs who did have \u201cextended airtime\u201d of more than 30 minutes said cybersecurity was treated as a more strategic topic rather than simply a check-box or status discussion. In these cases, boards are able to engage in \u201ctrade-offs, risk tolerance, and decision-making,\u201d rather than just metrics, according to the report.<\/p>\n

Boards are \u201cconsistently informed\u201d these days, but many still struggle to translate cyber reporting into strategic decision-making, said Kakolowski. Directors are seeking clearer insight into what\u2019s coming next, particularly as AI reshapes the threat landscape and enterprise risk.<\/p>\n

As a result, CISOs must strengthen their relationships within, and knowledge of, the business, to elevate the right issues to the board and create opportunities for \u201cmeaningful risk conversations,\u201d he said, even if those are happening behind the scenes or at the sub-committee level.<\/p>\n

IANS faculty member Steve Martano<\/a> agreed that the best security presentations<\/a> are \u201cholistic discussions\u201d on cyber risk and business risk. These are driven by CISOs who form a \u201cconcise, data\u2011driven narrative\u201d and foster discussion and brainstorming around risk tolerance, risk strategy, cyber and tech risk in the context of ROI.<\/p>\n

Boards want more forward-looking insights<\/h2>\n

The report also suggests that board-CISO communication doesn\u2019t dive as deeply into details as it should in these days of ever more sophisticated, AI-driven cyberattacks.<\/p>\n

The majority of board directors (82%) say their security leaders\u2019 reporting on regulatory trends was satisfactory or excellent, and that they had strong visibility into program initiatives, current risks, and resourcing needs. However, about half said security leaders\u2019 reporting in other areas, notably threats from AI and other emerging tools, needed improvement.<\/p>\n

This seems to signal that boards are seeking to move beyond high-level conversations to more forward-looking insights. AI is now a primary driver of cyber risk, enabling more sophisticated attacks; at the same time, it is introducing new areas of loss as AI models become high\u2011value assets that can be exploited or damaged, said Brian Walker<\/a>, CEO of The CAP Group.<\/p>\n

\u201cAI and cybersecurity are inextricably linked, and boards must understand the business risks of both,\u201d he said.<\/p>\n

Similarly, boards regularly interact with dashboards and frameworks, but fewer than half of them (41%) participate in tabletop exercises, crisis simulation, incident escalation protocols, or other education and training.<\/p>\n

\u201cIn other words,\u201d the report notes, \u201cboards are well informed on paper, but often stop short of experiencing cyber risk, suggesting oversight that is more passive than active.\u201d This suggests that CISOs are not helping boards get ahead of the \u201cfast-moving risk dynamics\u201d of today\u2019s threatscape.<\/p>\n

Ultimately, the report emphasizes, this reinforces a familiar pattern: Updates effectively explain the current state, but are less effective at preparing directors for what comes next.<\/p>\n

Board involvement is critical for cybersecurity<\/h2>\n

Getting board buy-in is critical, as data and digital capabilities are integral components of business strategy. Risks created by emerging technologies and methods of using data are, as a result, \u201cbecoming more impactful on an organization\u2019s health,\u201d said Kakolowski.<\/p>\n

In the strongest security-first organizations, CISOs are \u201cdeeply aware\u201d of the risks that are most important to the business, and are able to contextualize cyber issues into those risks, he said. \u201cThey aren\u2019t getting the board up to speed on cyber issues; they are shaping the cyber agenda around the risks that matter to the board and, implicitly, the broader organization.\u201d<\/p>\n

The takeaway for CISOs: Use your security knowledge to determine the organization\u2019s risk tolerance and manage risk accordingly. Simply put, building a strong relationship with the board requires a mindset shift \u201caway from being a security leader trying to prevent breaches, to being a business leader partnering with the executive team,\u201d said Kakolowski.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Cybersecurity is, as it should be in this era of AI-driven cyberattacks, a regular item on enterprise board agendas. However, the ways in which CISOs and boards interact, and the depth of those discussions, remain brief and superficial. According to a new report from IANS, Artico Search, and The CAP Group, CISO-board interactions remain short (typically 30 minutes per quarter), lack depth around threats, particularly… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15913","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15913","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15913"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15913\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15913"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15913"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15913"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}