It should be safe to assume executives at a corporation are in conversation with members of their board, but it seems some CISOs are being left out of the group chat.
According to recent findings from research group IANS, 40% of surveyed security officers at small and midmarket firms reported minimal or no access to their boardroom. About 20% of the 363 pros polled said they meet with the full board at least semiannually, and 40% do so quarterly.
That lack of interaction can pose a risk to an organization, according to IANS Senior Research Director Nick Kakolowski, as it could be an indicator that “the business doesn’t adequately understand the impact cybersecurity has on its overall organizational risk, that it thinks of cyber as an isolated thing.”
Now introducing. When Michael Welch became CISO at OSI Group—a food supplier with over 20,000 employees and 65 global facilities—it took him 11 months to get into the boardroom.
In 2018, his role was new, Welch said, and the CIO had previously handled security-related conversations with board members. Throughout his first year, he got to know the executive leadership team, and they got to know him and learn about his experiences, which, in addition to security, included building businesses and achieving an MBA.
When Welch finally reached the boardroom, he had nerves, excitement, and…seven minutes.
In that first meeting, he remembers connecting with the room’s business leaders on a simple fact: Food manufacturing was not protected from cyber adversaries. “We have an internet presence. We are a target,” he recalled discussing, and he soon earned a regular invitation to the quarterly meeting. He is now managing director at MorganFranklin Cyber.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Kind of a big deal. A VikingCloud survey of 208 North American small and medium-size businesses (SMBs), released in March 2025, found that 1 in 3 SMBs experienced a cyberattack in the past year. Almost one-third (32%) of SMBs reported that $10k in lost revenue or unplanned expenses would take them out of business.
A previous 2025 report from IANS Research found that 53% of large enterprise CISOs engage with the full board on at least a quarterly basis.
The average global data-breach cost, according to IBM’s annual report, reached $4.88 million in 2024.
Let me in! For CISOs locked out of the boardroom, Kakolowski recommends building relationships with other executives and getting involved in cross-functional projects, like an AI steering committee.
“You can start to demonstrate value and start to show that you have something to offer, to a point that another executive says, ‘Hey, we need this person to come to this board meeting and talk about this, because they’re the ones who know what’s going on,’” Kakolowski said.
Welch told us that he had a strong relationship with the OSI’s CFO, with whom he frequently discussed future budgets. Finding who “that right advocate is within your business” helps with boardroom access, he said.
“You really do have to continue to ask, and if the company continually says no, then you have to decide, ‘Hey, is this the right place to be?’ Because at the end of the day, the [CISOs] in some organizations are the ones that are responsible for the protection.”