Why CISOs Fail in the Boardroom: The Real Reasons and How to Fix Them

Most CISOs are exceptional at their jobs. They understand threat landscapes, manage security programmes of genuine complexity, and make consequential decisions daily under conditions of uncertainty that would paralyse most senior executives. And yet a significant proportion of them fail in the boardroom, not catastrophically, but quietly and persistently, in ways that erode board confidence, reduce security budgets, and ultimately limit the organisation's ability to manage cyber risk well.

The failure is almost never technical. Boards do not lose confidence in CISOs because they doubt their security expertise. They lose confidence because the CISO has not made the translation from security practitioner to board-level executive. The two roles require fundamentally different skills, and the pathway from one to the other is rarely formal, rarely taught, and rarely discussed with the honesty it deserves.

Having served as CISO across multiple FTSE 100 and regulated organisations, and now as an advisor who sits in boardrooms independently, I have seen both sides of this dynamic in considerable detail. The patterns of CISO boardroom failure are consistent, identifiable, and fixable.

The four failure patterns

These are not hypothetical failure modes. They are patterns I have observed directly, across financial services, insurance, critical infrastructure, and global enterprise organisations.

Reporting information instead of enabling decisions. The most common failure is a board report that is accurate, comprehensive, and entirely wrong for the audience it serves. Traffic light dashboards, vulnerability counts, patch rates, and mean-time-to-detect figures are the language of security management. They are not the language of governance. A board cannot make a decision from a dashboard. It needs to understand the decisions it is being asked to make, the trade-offs involved, and the consequences of the available choices. A CISO who reports information without framing decisions will gradually lose the board's attention, and with it, their influence over the things that actually matter.

Translating risk into technical terms, not financial ones. Cyber risk is real and measurable, but most CISOs express it in technical language that boards cannot connect to the financial, operational, and reputational frameworks they use to govern everything else. A critical vulnerability in a payment processing system means nothing to a board director without a CFO background. A potential exposure of £40 million in regulatory fines and remediation costs, plus reputational damage that our insurer has told us they would not cover fully, is a governance conversation. The CISO who cannot make this translation will always be presenting to a room that is not fully engaged.

Seeking approval rather than accountability. There is a structural dynamic that many CISOs fall into: presenting to the board in a way that seeks endorsement rather than inviting scrutiny. This happens because scrutiny feels threatening, and because the CISO often knows far more about the subject than any director in the room. The result is a one-directional relationship that the board tolerates but does not value. Boards trust advisors who invite challenge. The CISO who presents a security programme as already correct, already governed, already on track, creates no role for the board to play. And an executive the board has no role in governing is an executive the board will, over time, marginalise.

Positioning security as a cost rather than a governance discipline. The CISO who consistently frames security in terms of budget requirements, headcount needs, and tool investments has positioned themselves as a cost centre to be managed, not a governance function to be supported. Boards fund things they understand as strategic. When security is framed as operational expenditure with an opaque return, budget decisions default to the lowest number the board believes it can get away with. This is a framing failure, not a board failure.

What the board actually needs from its CISO

Understanding the failure modes is useful. Understanding what effective board engagement looks like is more useful.

Decision framing, not information delivery. Every board report should be structured around two or three decisions the board is being asked to make or endorse, not a comprehensive update on the security programme. What is the risk? What are the options? What does management recommend, and why? What does the CISO need the board's input on? This structure respects the board's time, clarifies its role, and creates a record of governance that regulators expect to see.

Risk language that connects to business language. Every material risk should be expressible in financial and operational terms. This requires the CISO to work closely with the CFO and the risk function, not to simplify the risk, but to translate it into a language that connects to how the board already thinks about the organisation. CISOs who build these relationships internally find their board conversations change almost immediately.

Inviting challenge rather than deflecting it. The most effective CISO board presentations I have seen are the ones that explicitly acknowledge uncertainty, present genuine trade-offs, and invite the board to contribute something. Where do you think our risk appetite sits on this? Is this the right trade-off for this organisation at this moment? These are governance questions, and asking them gives the board a reason to be present, engaged, and invested in the answer.

The organisational dimension

It would be incomplete to discuss CISO boardroom failure without acknowledging the organisational factors that contribute to it. Many CISOs fail in the boardroom partly because the organisation has not created the conditions for them to succeed.

A CISO who reports to the CIO, rather than the CEO or directly to the board, is structurally disadvantaged. Their board access is filtered. Their risk escalations pass through a technical intermediary. Their strategic perspective is mediated by a function with different priorities. The reporting line matters enormously, and organisations that are serious about cyber governance should examine it carefully.

Equally, boards that have never defined what they want from the CISO, what questions they need answered, what decisions they expect to make, cannot complain when the CISO's reports do not serve those purposes. The most effective CISO-board relationships are the ones where a conversation has taken place, early and explicitly, about what the board needs and how the CISO can provide it. In organisations where that conversation has not happened, the gap will persist regardless of how talented the CISO is.

Ali Zeb is an Executive Cyber Security Advisor, Non-Executive Director, and former advisory member at the FCA, NCSC, and Lloyds of London Market Cyber Risk Committee. He works with boards and CISOs on governance, reporting frameworks, and the structural conditions that allow cyber risk to be governed effectively at the highest level.