Threat Vector: "Communicating Cyber Risk Effectively to Your Board"

Date: August 21, 2025
Host: David Moulton, Palo Alto Networks
Guest: Abby Alderman, CEO & Founder of Boardspan

Episode Overview

This episode of Threat Vector dives into one of the most pressing challenges faced by cybersecurity leaders today: How can CISOs and security executives communicate cyber risk effectively to their company’s board of directors? Host David Moulton welcomes Abby Alderman, a board governance expert and CEO of Boardspan, to break down how boardroom expectations of cybersecurity have evolved and what frameworks and practical tactics leaders can use to engage boards around cyber issues. The conversation centers on the ORAS (Oversight, Accountability, Risk, and Strategy) framework and provides actionable advice for storytelling, agenda-setting, and building a strategic partnership between CISOs, CEOs, and boards.

Key Discussion Points & Insights

1. The Evolving Role and Tone of Boards in Cybersecurity

(02:36 – 03:30)

• Urgency and Complexity Rising:
  Boards today are grappling with increased complexity—global business, reliance on technology, and data-driven decision-making.

  "The world's much more complex... People are throwing out Moore's Law already, and that's what's making it so complicated... If you want to be on the board, you have to keep pace." – Abby Alderman (02:36)

• Cybersecurity’s Board-Level Importance:
  Cyber is no longer a purely technical concern; it affects business resilience, brand, and regulatory exposure.

2. The ORAS Framework for Board Governance

(04:04 – 05:27)

• OARS Explained:

  • Oversight: The board’s role is oversight, not direct management.
  • Accountability: The board is ultimately responsible; they can’t delegate this.
  • Risk: Focus on likelihood, business impact, and management’s mitigation plans.
  • Strategy: Ensuring that risk and oversight feed into forward-thinking strategy.

  "It's not the board's job to manage the risks, cyber or otherwise. It's the board's job to provide that oversight and ultimately be accountable and think about how it affects the strategy." – Abby Alderman (04:15)

3. Effective CISO-to-Board Communication

(05:27 – 08:04)

• Boards as Thought Partners:
  Use the board to challenge thinking, ask hard questions, and avoid dragging them into technical minutiae.

  "The best way to use a board most often is as thought partners… You don't want to draw the board into the weeds..." – Abby Alderman (05:38)

• Balance Detail and Accessibility:
  Frame the cyber risk conversation so it’s neither too abstract nor too technical.
  Provide context on accepted vs. non-accepted risks and controls in place.

4. Tailoring Strategy and Storytelling for Board Impact

(08:04 – 11:10)

• Know Your Board:

  • Different industries and board backgrounds require different approaches.
  • Assess whether assets are digital and how existential a cyber event would be for the business.
  • Gauge technical fluency; some members are deeply versed, others require basics.

• Relevance Is Key:
  Use stories/case studies relevant to your company, not generic tales.

  "If you do tell a story or use some case study that just isn't part of something that's realistically going to happen to our company, then you're kind of signaling you can tune out..." – Abby Alderman (09:37)

• Pre-Meetings or Education Sessions:
  Collaborate with CEOs to provide extra education to less savvy board members, keeping main sessions efficient.

5. The CEO’s Role in Board Engagement

(11:10 – 14:09)

• CEO Influence on Agenda:
  CEOs set meeting agendas and decide whether to give cyber issues stage time.

  "Knowing where your CEO is and how much he or she thinks the board needs to know about it is the great place to start." – Abby Alderman (12:10)

• Be Empathetic:
  The absence of cyber topics at every meeting doesn’t signal insignificance; often, it's a vote of confidence.

• Typical Cadence:
  Cybersecurity comes up 1-2 times a year in board meetings; don’t expect or demand more unless warranted.

6. Accountability: Where Does the Buck Stop?

(14:20 – 15:58)

• Board’s Ultimate Responsibility:
  • Boards cannot delegate accountability for cyber risk.
  • Oversight includes asking questions, validating answers, and being satisfied with mitigation levels.

  "They just can't point fingers at somebody else. So they have to, at that level, say, we have done our homework..." – Abby Alderman (14:40)

7. High-Performing Boards and Crisis Preparedness

(15:58 – 20:31)

• Crisis Preparedness vs. Risk Management:

  • Risk: Known and mitigated threats.
  • Crisis: Unmitigatable events—plan for communication, authority, rapid response.

• Real-World Tabletop Example:

  • Planning exercises often reveal overlooked details—e.g., missing passwords, key contacts.

  "It's the simple things that sometimes go wrong... A lot of times you'll hear the wrong person spoke to the press..." – Abby Alderman (19:19)

• Tabletop Exercises:
  Highly recommended as annual practice to "future-proof" crisis response.

8. Framing Cybersecurity as a Strategic, Not Just Technical, Function

(22:03 – 29:03)

• Making the Case to the Board:

  • Start with personal conviction: why you believe cyber resilience is strategic.
  • Use peer input and case studies that show how cyber enables growth or trust.

• Cyber Tied to Business Functions:

  • Links to business continuity, brand trust, underpinning new initiatives, quantifiable risk, and governance.

  "Cyber security can be very closely tied to business continuity and resilience. No board will deny that's important. Cyber is also incredibly intertwined with trust, brand and reputation..." – Abby Alderman (23:37)

• Bake Security into Business by Design:
  Integrate security early, not as an afterthought.

  • Memorable Moment: Abby relates steelmaking quality control to "baking in" cyber.

  "The best companies integrate the core tenets... into the manufacturing process. And so to your point, cyber fully integrated from day one... makes so much more sense." – Abby Alderman (27:46)

  • Notable Quote: "Security is an ingredient in quality." – Roland Cordier via David Moulton (27:58)

9. Language, Tone, and Presentation: What Works

(29:03 – 33:17)

• Be Calm, Not Dramatic:
  Reassurance, not panic; don’t over-dramatize or sugarcoat.

  "If you're excitable and a little dramatic to try to make your point, that might backfire. So what the board is frankly looking for is reassurance..." – Abby Alderman (29:13)

• Be Direct and Efficient:
  Use TLDR: Start with your main ask and the “why” in the first minute.

  • Summarize at start and end; be ready for questions rather than lengthy monologues.

• Storytelling Tips:

  • Stay relevant and empathetic to the board’s actual concerns.
  • Irrelevant stories signal a disconnect and risk losing attention.

• Be Bold, Be Brave, Be Gone:
  David’s mantra for succinct, impactful delivery.

  "I'd rather them have questions and come seek me out than wish that I would shut up." – David Moulton (31:43)

10. Strengthening the Board with Right Skills and Mindset

(33:44 – 35:02)

• Desirable Board Competencies:
  1. Curiosity: Engaged, question-asking directors.
  2. Practicality: Balances short- and long-term priorities, cost/benefit.
  3. Resilience: Calm and composed—even when things go wrong.

Notable Quotes & Memorable Moments

• "The work of the board is hard and getting harder... If you want to be on the board, you have to keep pace." – Abby Alderman (02:36)
• "It's not the board's job to manage the risks, cyber or otherwise. It's the board's job to provide that oversight..." – Abby Alderman (04:15)
• "If you do tell a story or use some case study that just isn't part of something that's realistically going to happen to our company, then you're kind of signaling you can tune out..." – Abby Alderman (09:37)
• "They just can't point fingers at somebody else. So they have to, at that level, say, we have done our homework..." – Abby Alderman (14:40)
• "Security is an ingredient in quality." – Roland Cordier via David Moulton (27:58)
• "[Be] calm is really important. If you're excitable and a little dramatic... that might backfire." – Abby Alderman (29:13)
• "Be bold, be brave, be gone." – David Moulton (31:43)
• "Curiosity... practicality... resilience—those are the three things I'd call out." – Abby Alderman (34:01)

Key Timestamps

• 02:36: Boards’ evolving role and increased complexity
• 04:04: ORAS framework introduction
• 05:38: Treat the board as thought partners, not technical deep-divers
• 09:37: Keep stories/case studies relevant to your organization
• 14:20: Where board accountability for cyber risk begins and ends
• 18:08: Importance of crisis preparedness and tabletop exercises
• 22:20: Positioning cyber as strategic, not just a cost center
• 27:58: "Security is an ingredient in quality."
• 29:13: The importance of a calm, direct tone in board discussions
• 33:44: Most valuable board member skills for cyber oversight

Summary & Takeaways

This episode provides a playbook for CISOs and cyber leaders striving to engage their boards strategically, not just tactically, on cyber risk. Abby’s ORAS framework and practical communication advice help CISOs keep messages focused, relevant, and strategic, while David’s executive insights reinforce the importance of efficiency, confidence, and story-driven presentations. The conversation also emphasizes adaptability—matching the tone and content to your board’s unique makeup—and the importance of ongoing crisis preparedness.

For CISOs: Lead with the “why,” tailor stories for relevance, and use board members as thinking partners rather than technical reviewers. Collaborate actively with your CEO and ensure your language, tone, and confidence underscore that cyber risk management is central to business quality and strategic direction.

For Boards: Cultivate curiosity, resilience, and practical wisdom—these traits enable effective oversight in a world where cyber is a permanent and evolving business concern.