Cyber Means Business: Nick Kathmann on How CISOs Should Talk to the Board About Risk

In this edition of Cyber Means Business, Nick Kathmann, chief information security officer at governance, risk and compliance provider LogicGate, argues that the most effective CISOs frame cybersecurity in terms that boards already understand: risk, business strategy, and measurable outcomes.

When cybersecurity leaders fail to connect their work to the strategic direction of the company, they risk being seen as technical specialists rather than business leaders.

That dynamic is something Kathmann has navigated throughout his career.

At LogicGate, he oversees IT, security, governance, risk and compliance (GRC), privacy, and artificial intelligence governance within the organization. Before joining the company three years ago, he held senior security roles at Virtustream, the cloud division of Dell Technologies, where he helped lead security architecture, red team operations, and security operations centers supporting some of the world’s largest enterprise workloads. Earlier in his career, he worked across large-scale cloud environments at EMC and RSA and held [consulting?] roles at Accenture and in the healthcare and energy sectors.

Those experiences helped shape his perspective that security leaders’ communication with the C-suite and board directors is ultimately a business problem. Security leaders must translate technical risk into the language executives and boards use to guide strategy and allocate resources.

Joan Goodchild: When CISOs only get a few minutes with the board, what should they focus on communicating?

Nick Kathmann: The most important thing to communicate is the company’s overall risk profile and how that risk is trending over time. The board’s role in risk management is to set the organization’s risk appetite. That appetite changes depending on where the company is in its lifecycle. A startup may accept a higher level of risk in order to move quickly and gain customers, while a company preparing for an acquisition or an initial public offering may want to significantly reduce risk.

One way to make that conversation meaningful is to show how risk is trending across different parts of the organization. For example, you might show that risk in engineering is decreasing while risk in another department is increasing. The key question for the board becomes whether that overall risk posture aligns with the level of risk they are comfortable accepting. That framing allows the board to make informed decisions about whether the organization should accelerate, slow down, or shift its approach.

What are some of the biggest mistakes security leaders make when speaking with the board?

The first major mistake is staying too technical. Cybersecurity is filled with acronyms and jargon. If a board is composed primarily of finance executives, marketing leaders, or operators, they are not going to connect with that language. Security leaders need to translate technical vulnerabilities into business implications.

The second mistake is exaggerating risk. If everything is labeled “critical,” executives will eventually stop paying attention. There was a situation at one company where a risk manager presented a relatively minor issue as a critical risk. The chief executive officer immediately responded that a true critical risk would be not having enough cash flow to meet payroll next week. That would shut down the company.

Security leaders need to understand how the business defines risk severity and make sure their classifications align with that definition.

How can CISOs translate cybersecurity risk into language that resonates with boards?

It starts with agreeing on a common definition of risk. Organizations should establish shared terminology around what constitutes a critical, high, or moderate risk. If leadership defines a critical risk as something that could materially damage the company within weeks, security leaders should not present an issue that might cause problems years in the future as critical.

The other important step is tying security directly to the company’s strategic direction. If the company’s strategy involves international expansion, security can explain how regulatory certifications, compliance, and security programs help unlock those markets. If the company is pursuing new industry verticals, security investments may enable entry into regulated sectors such as finance or healthcare.

In each case, security is framed as either enabling strategic growth or highlighting risks that could prevent the company from achieving its goals.

Security teams track dozens of metrics. Which ones actually matter in board conversations?

Most technical metrics do not belong in the boardroom. Metrics such as mean time to detect or mean time to respond are important operational indicators for security teams, but they rarely resonate with directors. What boards care about is whether risk is increasing or decreasing and what that means for the business.

One challenge in security reporting is that many frameworks focus on maturity rather than outcomes. A team might say they are four out of five in one control area and three out of five in another, but that does not necessarily explain whether the organization is safer.

A more useful approach is to translate those technical indicators into business risk trends. If a particular control is weakening, the conversation should focus on the resulting increase in the risk of events such as ransomware or data breaches. That gives the board a clearer understanding of why the issue matters.

How can CISOs justify security spending in terms boards understand?

The answer depends partly on the business model. For business-to-business companies, the return on investment is often tied directly to revenue. Security certifications, compliance programs, and governance initiatives can unlock new markets or enable sales to enterprise customers that require certain standards.

If a security investment enables the company to pursue a market worth millions in potential pipeline, that connection becomes very clear. Security also reduces friction in the sales process by increasing customer trust and shortening procurement cycles.

Security can also enable innovation. For example, strong governance programs around artificial intelligence can allow organizations to adopt automation and artificial intelligence more quickly because the risks are being managed responsibly. In that sense, security becomes a guardrail that allows the business to move faster rather than a barrier that slows it down.

What separates CISOs who build credibility with boards from those who struggle?

The biggest difference is whether the security leader connects their work to the company’s strategic value. If security leaders present their work as a standalone function that operates separately from the business, they are likely to be seen as a support role rather than a strategic partner.

Credible CISOs show how security enables revenue growth, protects enterprise value, and supports the company’s strategic direction. When they do that consistently, boards begin to see security as part of the organization’s forward momentum rather than just a technical safeguard.

In practice, there are also some simple signals that reveal whether a message is resonating. If board members ask questions, follow up outside meetings, or engage with security leaders directly, it usually indicates strong credibility. If they do not ask questions, appear disengaged, or only interact during brief board presentations, it may be a sign that the security narrative needs to change.