Building a Relationship Between the Board and CISO

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, outlines how boards can strengthen relationships with cyber-risk leaders to promote strategic integration, resiliency, transparency, accountability, and trust.

Introduction

Boards cannot oversee cyber risk effectively if they only interact with the CISO during annual presentations or after a crisis has occurred. Sustained, structured engagement with the CISO (or the equivalent person who is accountable for cybersecurity for the corporation) helps directors view cybersecurity as an enterprise-wide strategic concern rather than a technical sidebar.

The CISO’s rise to the C-suite comes with more engagement with the boardroom, an audience with the CEO, and the power to make strategic decisions for the business. The CISO is a critical executive role that should receive board-level coaching and development to signal that cybersecurity is a strategic business priority and not just an operational cost.

While many directors acknowledge a positive relationship with their CISO, there remains room for improvement. The NACD 2025 Board Practices and Oversight Survey reveals that 37 percent of public company directors and 40 percent of private company directors say it is “very” or “extremely important” to improve the board – CISO relationship. Maintaining a healthy relationship is an important aspect of improving cyber-risk reporting, aligning cybersecurity to strategic business objectives, fostering transparent communication, and promoting a strong cyber-risk aware culture.

Directors are Focused on the Board-CISO Relationship

Source: 2025 NACD Public Company Board Practices and Oversight Survey, n=154; 2025 NACD Private Company Board Practices and Oversight Survey, n=84
Q: How important is it that your board improves in the following areas related to cyber-risk oversight?

Strong board–management relationships in cybersecurity are not about frequency of meetings alone; they are about trust, shared language, and consistent integration of cyber issues into strategic discussions.

Cybersecurity as Strategic Risk

Boards should push for reporting from the CISO that uses business metrics (e.g., potential revenue loss, downtime costs, regulatory penalties) rather than purely technical jargon. Directors should approach cyber risk conversations as they would financial or operational reviews: what are the strategic exposures, what is the economic impact, and how does this risk align with business objectives?

Board Operations

Boards should ensure their governance practices and structures for engaging the CISO and receiving cyber-risk reporting are fit for purpose.

• Establish regular, non-crisis communication channels between the board and CISO.
• Review how the board agenda and committee structures support ongoing cyber engagement.
• Support a culture of open dialogue so that issues are escalated early rather than hidden.
• Monitor CISO engagement in the broader industry as both a contributor and a learner.

Systemic Resilience and Collaboration

Cyber resilience depends on coordination across the enterprise and with external partners. Encourage management to include the cyber-risk team in enterprise-wide resilience exercises (e.g., supply chain disruptions, operational continuity planning). They should also ask how the organization collaborates with industry and cross-sector peers, ISACs, and regulators to address systemic cyber threats.

Board–CISO Relationship

Boards should cultivate direct, recurring interactions with the CISO or equivalent executive. Best practices include

• Scheduling cyber as a standing agenda item for relevant committees.
• Holding periodic deep-dive sessions focused on specific risks such as ransomware, AI, or cloud security.
• Encouraging informal dialogue outside of scheduled meetings to build trust.
• Encouraging development of new skills for the CISO beyond cybersecurity and risk management.

Transparency and Culture

If the cyber-risk team feels pressure to deliver only good news, boards will be blind to systemic weaknesses. Reinforce that the board values transparency, and that escalation of problems will not be punished, but used constructively. Questions should focus on what is not being reported and how near-misses are used to improve processes.

Integration into Enterprise Risk Management

Cyber reports should not be isolated from other risk areas. Boards should require that cyber-risk metrics be presented alongside financial, operational, and strategic risk dashboards. This integration enables directors to see how cyber exposures affect overall business objectives.

Building Expertise at the Board Level

Even with strong reporting, boards must have sufficient baseline literacy to interpret what they hear. Boards can develop this expertise and competence through training, appointing cyber-experienced members, or retaining independent advisors. Without it, relationships risk becoming performative and circular rather than substantive.

Collaboration Across Business Units

The board should ask how the cyber-risk team works with legal (regulatory compliance), operations (business continuity), finance (quantifying losses), and HR (training employees) and whether the CISO participates in strategic discussions and decision making with other senior leadership. Further, boards should also review whether the current positioning of the cybersecurity team within the organization and the CISO’s reporting line remain fit for purpose.

Questions the Board Can Ask to Strengthen Relationships With Cyber-Risk Leaders

• Engagement: How frequently does the CISO (or equivalent) brief the board, and is this engagement focused on strategic risk, not just technical details?
• Integration: How is cyber-risk reporting aligned with financial, operational, and strategic risk reporting?
• Resource Adequacy: Does the CISO have the necessary resources?
• Transparency: Does management encourage an environment where cyber incidents, near-misses, and vulnerabilities are reported promptly without fear of blame so that residual risk can be appropriately addressed? Does the CISO have a direct reporting line to the board or is cyber-risk reporting filtered through a CIO or other senior leader?
• Evaluation: How do we assess the capability of our CISO/equivalent? What is the succession planning for CISO skills?
• Collaboration: How does the cyber-risk team interact with other functions (e.g., finance, contracts, legal, compliance, technology, supply chain, and operations), and how are those interactions reported to the board? How well is the CISO and their team integrated with industry and customer/partner/supplier/government organizations to help inform their cyber-risk understanding? What is the relationship between the CISO/equivalent and the CIO/CTO/Chief Data/AI officers?
• Escalation: What thresholds trigger direct communication between the CISO and the board?
• Board Expertise: Does the board have enough cyber knowledge to interpret reporting and ask the right questions, or should it supplement with external advisors, a director with expertise, and/or supplemental training?
• Resilience: How is the organization using insights from the CISO to inform broader resilience strategies across supply chains, partners, and industry? How are emerging cyber threats factored into strategic planning across the corporation?

Further Reading

CISA Cybersecurity Performance Goals

These common protections help all critical infrastructure entities—large and small—reduce the likelihood and impact of known risks and adversary techniques

NIST Cybersecurity Framework

These resources help organizations understand and improve their management of cybersecurity risk

World Economic Forum, Principles for Board Governance of Cyber Risk

A reference for corporate directors as they set their organization’s cybersecurity strategy and engage with stakeholders on the issue of cyber risk

Return: Toolkit For Action