Translating Cyber Risk Into Boardroom Language: Bridging the Gap for CISOs in ANZ
Mike Saxton - CRO MyCISO
The Disconnect: Tech Talk vs. Business Talk
Many Chief Information Security Officers (CISOs) present detailed reports; NIST control scores, patch compliance rates, vendor risk questionnaires, only to be met with blank stares in the boardroom. It’s not that boards don’t care about cybersecurity risks; it’s that they often don’t speak the same language. When CISOs speak in technical terms and boards focus on financial outcomes, the miscommunication can leave organizations vulnerable. The challenge (and opportunity) for security leaders is to translate geek-speak into business impact.
Boards and non-executive directors (NEDs) are charged with protecting the company’s value and reputation. They’re worried about brand damage, customer trust, regulatory compliance, and the bottom line – not the intricacies of patch management or control audits. So how do we reframe our cyber discussions to hit home for a business audience? By turning technical metrics into business risk terms.
From Security Metrics to Business Impact
To secure buy-in (and budget), CISOs need to recast cybersecurity issues as enterprise risks that directors do care about. Here are key translations to consider:
Control Deficiencies → Brand and Reputation Risk: Telling the board "we have 20 NIST control deficiencies" won’t resonate. Instead, explain that each unmitigated control gap is a potential breach that could erode customer trust and damage our brand. A data breach now ranks among the top three most negative events for a company’s reputation, even worse than a CEO scandal. Nearly two-thirds of consumers lose trust in an organization after a breach, and almost one-third will take their business elsewhere.
Patching Delays → Breach Consequences and Customer Churn: Frame patching as “unpatched systems increase the likelihood of a costly breach, which could drive customers away.” After a major Australian telecom’s data breach, up to 10% of its customers said they switched providers – a churn that would cost millions in lost revenue. Industry studies back this up: companies that suffer a breach see customer churn rates jump as much as 7%.
Supplier Questionnaires → Supply Chain and Business Continuity Risk: Link vendor security gaps to potential business disruption. A single compromised IT provider enabled hackers to access millions of customer records in multiple companies. Emphasize that “trust but verify" is not enough; we need to continuously monitor and mitigate third-party cyber risks to prevent downstream impact on our brand and customers.
Employee Training → Human Firewall Against Attacks: Rather than reporting training completions, illustrate how awareness programs reduce social engineering attacks. A single phone call enabled hackers to breach Qantas in 2025 by socially engineering an offshore call center. In the UK, Marks & Spencer suffered a massive ransomware attack triggered by a helpdesk impersonation.
Real-World Wake-Up Calls: Cyber Incidents Hit Home
Recent breaches in Australia and the UK provide board-friendly talking points:
Qantas Data Breach – Brand Damage via Third-Party Lapse: In July 2025, attackers impersonated a user over the phone and accessed a vendor-managed Qantas platform, exposing data of 5.7–6 million customers. Public outrage and media scrutiny followed, reinforcing that our brand is only as secure as our weakest supplier.
Marks & Spencer Attack – The Human Factor Costs Millions: In the same year, M&S suffered a ransomware attack initiated by impersonation of an insider to an external IT desk. ~150 GB of data was stolen, operations halted, and significant recovery costs incurred. This illustrates how weak verification processes and untrained personnel can lead to multimillion-dollar damage.
Speak the Language of Business Risk
To connect with boards and NEDs, CISOs must:
Quantify and Relate to Business Outcomes: Frame risks in terms of customer retention, revenue impact, regulatory fines, uptime, and competitive advantage.
Use Plain Language and Business Analogies: Replace jargon with metaphors (e.g., “unlocked back door” for SQL injection).
Emphasize Reputation and Trust: Stress how breaches erode trust and prompt costly remediation, marketing, and support measures.
Highlight Regulatory and Legal Stakes: Reference tightening ANZ privacy regulations and the legal/financial implications of breaches.
Tell Stories, Not Just Stats: Use memorable real-life incidents (like Qantas, M&S, Optus, Medibank) to humanize cyber threats.
A Collaborative Path Forward (Call to Action)
Cybersecurity is a strategic investment in protecting customers, reputation, and business continuity. When boards understand cyber risk in their own terms, support and funding follow naturally.
See you at CISO Melbourne! Let’s continue this important conversation and share practical ways to align cybersecurity with executive priorities.
MyCISO #cybersecurity #empowersecurity #boardreorts
References:
Qantas breach: https://www.abc.net.au/news/2025-07-02/qantas-data-breach-phone-scam-affects-millions/103982702
Marks & Spencer ransomware attack: https://www.infosecurity-magazine.com/news/marks-spencer-suffers-major/
Ponemon study on brand damage: https://www.ibm.com/reports/data-breach
Customer churn after breach: https://www.cpomagazine.com/cyber-security/customer-churn-rises-by-7-after-data-breaches/
Optus breach and customer loss: https://www.smh.com.au/business/companies/optus-customers-switch-providers-after-breach-20221001-p5bm5u.html