CISOs are meeting with board leaders, but are they being heard?

Since 2023, the SEC has required public companies to explain how their boards oversee cybersecurity risk.

That means CISOs are getting some minutes in the boardroom to explain their company’s security posture to stakeholders. But standing in front of the class doesn’t mean everyone’s ready to pass the test: a recent report suggested those stakeholders aren’t understanding the cyber threat impact.

The 2026 Benchmark Report, released on Mar. 3 by cybersecurity insights group IANS Research and exec-recruitment firm Artico Search, reviewed responses from 17 board directors.

• They are getting together. An additional survey by the organization found that 95% of CISOs (out of 653 polled) provide regular updates to the board, with 60% engaging with the full group and just over one-third interacting with a board committee. About three in four (72%) of CISOs meet a committee quarterly.
• But the time is short. Just over half (51%) of CISOs meeting quarterly reported having between 15 to 30 minutes to speak. One in four of those meeting quarterly said they had fewer than 15 minutes.
• And something’s off. Only 30% of boards described the relationship with their CISO as “strong and collaborative.” Slightly more than half of the board respondents (53%) said reporting on the impact of evolving threats needs improvement.

The consequence of a board not knowing company cyber risk, according to IANS Senior Research Director Nick Kakolowski, is an organizational blind spot that leads to slower recovery if there’s a cyber incident.

“The more personal risk is that the CISO ends up being viewed as having missed the boat on putting the business in a position to manage that risk, and that the CISO gets blamed,” Kakolowski told IT Brew. (A 2025 Sophos report found that one in four cybersecurity leaders were replaced after a ransomware attack.)

Do I have your attention? About four years ago, Dave MacKinnon, chief security officer at cybersecurity platform N-able only had 30 minutes with the board. Now he has an hour and a half every quarter to describe the threat landscape, business risks, company security controls, and recent cybersecurity-related investigations. (MacKinnon meets with a subset of the board: the cybersecurity committee.)

His advice to someone who has just 15 minutes with the boardroom: “Have them understand what is the most critical risk to the business,” and let the board know where you might need help to address those risks.

At MacKinnon’s most recent meeting with the board’s cybercommittee in February, he spoke about data centers. N-able hosts data centers in the Middle East, and those facilities have become potential targets as the conflict in Iran continues.

“How do I translate that into a business risk which could impact those pieces and let the board assess it in terms that they understand?” MacKinnon said.

“The impact, from a business perspective, is, if that data center is hit by literally a bomb, we would lose operation there,” he added, while also noting the company has the ability to transition to another data center—another important detail to mention the board, to demonstrate minimal business disruption.

CISO says. Kakolowski shared strategic advice for a cybersecurity pro facing senior stakeholders:

• Leave time for questions. And put maturity updates, metrics, and current-event context into the background materials.
• Adjust as needed. He recommends determining discussion-topic priorities with executives before the meeting and being ready to “accordion” those talking points—expanding or compressing them as necessary. “There might be cases where I know I’m still going to talk about five things. I’m just going to talk about them in a different way,” he said. “Or it might be, ‘I know this one’s the most critical to the business right now, and there’s time sensitivity.’”

For Kakolowski, the challenge is not one that’s met by simply bumping the CISO’s time to 90 minutes.

“I don’t think of this as a time problem. It’s an impact situation,” he said. “How are you using the time?”