CISOs and CIOs, here’s your chance to prove to your boards the value of cybersecurity…because they need your help badly. And future investments — and therefore your organization’s security posture — depend on it. 

Almost all non-executive directors (NEDs) — 90%! — don’t have real confidence in the value of cybersecurity, according to new research, according to a new survey from Gartner. The numbers confirm what we’ve long said: Boards aren’t fluent enough in cybersecurity to tie it with confidence to cost and risk. “Corporate Boards operate under the principle of ‘nose in, fingers out’ (NACD), meaning they’re looking into the business without running it,” says Trey Ford, chief strategy and trust officer at Bugcrowd. 

But now that organizations and regulators are pressing boards to draw those connections and make decisions accordingly, time is of the essence.  

“Non-Executive Directors are not questioning the importance of cybersecurity,” says Darren Guccione, CEO and cofounder at Keeper Security. “They want a clearer view of how security decisions influence the business.  When conversations are dominated by technical detail, it becomes difficult for them to link risks or controls with the organization’s ability to operate and grow.” 

Perhaps for guidance, security pros can look to the 10% of NEDs in the 2026 Gartner Board of Directors Survey who have strong confidence in the value of cybersecurity investments and initiatives and the CISOs and CIOs who have helped them make sense of it all. These “sense-makers” can provide clarity on exposure levels and threat readiness, Gartner says, so NEDs can make informed decisions and hopefully secure the best outcomes for business.  

Sense-maker CIOs and CISOs, as Gartner calls them, provide transparency on actual exposure levels and readiness for threats, moving beyond general cyberthreat trends, to empower NEDs with the information needed for informed decisions. 

Chad Cragle, CISO at Deepwatch, says that having a seat at the table has been one of the most important steps in his career. “What’s said behind closed doors helps me stay ahead, whether M&A, product pivots, or expansion plans help align security to the business before I’m told to,” he explains. “But let’s be honest; that seat isn’t guaranteed. You earn it by building trust and proving value.” 

To get that coveted seat, Cragle says CISOs must “move away from fear-based metrics and start telling business-aligned stories.” Instead of talking about how many threats were blocked, he says, “translate that into what it would’ve cost if one got through, how long it would’ve taken to recover, and how we compare to peers.” 

More effective, says Guccione, “is to connect cybersecurity to business outcomes that boards already care about.”  

In addition, show them “how cyber accelerates go-to-market, protects revenue, preserves brand equity, and keeps regulators off the board’s radar,” Cragle says.  

To sway NEDs toward viewing cyber as strategic, rather than just a cost center, he stresses speaking their language. “Talk in terms of risk, resilience, and ROI,” Cragle says. “When you stop making cybersecurity sound like a mystery and start making it sound like a competitive advantage, that’s when you stop presenting to the board—and start advising with them.” 

But it’s challenging. CISOs find it difficult to brief a board, “they see for 15 minutes two-to-four times a year, where they’re briefing on cybersecurity investments, risk tradeoffs, and compliance — while providing an honest assessment of the tension between managing risk (accepting or treating) and dealing with untreated exposures and incidents,” says Ford. 

“Frankly speaking, in most cases, a board has 4-8 hours of grueling quarterly meetings, and the cyber risk owner (CISO) shows up to brief them toward the very end of the day,” he explains. “They’re exhausted, and digging into technical nuance that is often well outside their domain of expertise is challenging for everyone in the room.” 

But that might change if CISOs speak the same language as the board. When NEDs can evaluate cybersecurity the same way they evaluate any other strategic risk, Guccione says, “the discussion becomes clearer and confidence increases.” 

He points to one area illuminating this connection — identity-related risk. “Many incidents today begin with compromised identities, and the consequences show up immediately in business terms,” he says. “When organizations strengthen how they manage credentials and privileged access, they reduce risk in a meaningful and measurable way. That improvement isn’t a technical win. It’s a business win.”