How one CSO gets the most out of his minutes with the board

When Dave MacKinnon, CSO of cyber-resiliency firm N-able, first spoke to a board member, he was “scared to death.”

I don’t speak business like they do, he remembers thinking, as he discussed cyber threats with the company’s freshly spun-up cybersecurity committee, a subset of the board that came together about five years ago.

Since then, the interactions have thankfully gotten less scary; every quarter, he now has 90 minutes with the cybersecurity committee, and he has learned a few things about how to talk to stakeholders.

That’s an important skill these days, as a new report finds CISOs are getting the boardroom face-time, but business leaders still want higher-quality information on the impact of evolving threats. Given recent SEC regulations requiring boards of directors to oversee cybersecurity, CISOs have become important boardroom guests, presenting on topics like security controls and current threats.

MacKinnon spoke with us about translating cybersecurity impact into the language of business—and how to make the most out of your time with stakeholders, even if it’s just 15 minutes.

Responses below have been edited for length and clarity.

Why is it important to communicate the maturity level of security controls, as well as the threats facing the organization to the board?

The reality is, every company will have a security event at some point. Anybody who thinks they won’t has their head in the sand. So, understanding where your risk is from an organizational perspective, how ready is the business to absorb that risk, and what are you doing to mitigate it is critical.

How do you describe that impact?

I break it into two different aspects: What is the impact itself and probability of impact? We can really risk-score it out, and then if that impact is realized, what is the cost? If we saw this and we lost business operations for a day, how much revenue is tied to that?

What advice would you have for someone who has 30 minutes, or even 15 minutes? How do you make the most of your time?

It’s the tangible business risks. I often, internally, [say]: “Don’t talk about how the sausage is made. Talk about the sausage.” What you want to do is have them understand what is the most critical risk to the business. Where do you need help? And this is an area where I evolved tremendously. Actually, I was at a board dinner after a meeting, and [the chairman of the board] said, “Don’t be scared to ask us for help. That’s what we’re here for.” Sometimes it’s not just about making everything look pretty. No organization is perfect, but understand: What are the business’s biggest risks? Where do I need help? And even if it’s a breakout after the board meeting, get that time with the board members to drive forward those initiatives that really could impact the business.

What does “help” mean here? Is it a tool? Resources?

It depends on the risk. It could be dollars to support an initiative. It could be a tool. It could be additional resources. It could be a backing. I have three bosses. I report to the chief technology product officer for N-able, I report to the CEO, and I report to the board. What I want to do is make sure when I ask for help that I have an escalation path. So, regardless of what I’m asking for—maybe if the internal team is dismissive, but you believe the risk is significant enough—having that relationship to drive forward that risk to the board, I think, is critical…you have their attention for 15 minutes. Every board member is concerned about what’s happening in cyber. But if you think about cyber, it’s enterprise business risk. So, how do you tie down: What is the risk? What are resiliency plans? How are we accounting for what could happen? And then, where can they help drive it forward if you’re not getting the right traction or the right funding, or whatever you happen to need?

Correction 03/12/2026: This conversation has been updated to delete a parenthetical about a board discussion.