How to Talk to Your Board About Cybersecurity

That gap, between how loudly organizations say they value security and how little they actually let security leaders influence decisions, is what this article is about. If you've ever presented a thorough, data-backed security update and watched executives glaze over, or asked for budget and been told the numbers "don't make a compelling case," the problem isn't your work.

Why this matters right now: 78% of CISOs are personally worried about being held liable for security incidents, up from 56% the year before (Splunk, 2025). Boards are no longer passive. The stakes of not speaking their language have never been higher for your program or your career.

The Real Problem: You're Speaking a Language They Were Never Taught

Security teams optimize for technical accuracy. Executives optimize for business outcomes. When those two goals meet in a boardroom, technical accuracy usually loses.

One Atlassian CISO put it plainly in a Reddit AMA: "If you speak in CVE scores or firewall logs, you are signaling that you belong in the basement, not the boardroom. To be heard, you must translate technical debt into financial risk."

That's the whole problem in two sentences.

But there's a second issue that's just as damaging: inflated ROI claims. The "18 kajillion dollars" problem is real. A senior manager described watching a security team present to executives, citing a Gartner study on breach costs and multiplying it across every vulnerability in the environment. The number was so astronomical he started laughing out loud at the meeting. Inflated math destroys credibility faster than having no data at all, because it tells the room that you can't be trusted to report accurately under pressure.

And then there's the fundamental mismatch in attention. As one practitioner on r/cybersecurity put it: "For you, security is the main thing. For them, it's one of a thousand things." Executives don't have the same context you do. They don't experience the threats you deal with every day. That's not negligence on their part; it's just organizational reality.

The fix isn't finding a better vulnerability chart. It's reframing the entire conversation.

The Framework: Five Steps to Translate Security Into Business Language

Step 1: Diagnose what your executive actually cares about

Before you build a single slide or pull a single metric, you need to know your audience. Not all executives care about the same thing, and the CISO who succeeds at board communication is the one who figures that out early.

One practitioner described this clearly from experience: a CTO who cared about individual engineering team effort towards reducing security risk got a dashboard built around security debt by team. A CEO who cared about phishing above everything else got a dashboard showing phishing simulation fail rates and email detection metrics. The same security program, communicated completely differently to two different people.

There are three broad executive archetypes worth knowing:

• Revenue-first CEOs respond to customer trust, brand reputation, and what a breach would actually cost the business in lost contracts or reputational damage.

• Risk-aware CFOs respond to breach cost math (used conservatively), regulatory fines, and the emerging personal liability angle, which we'll come back to.

• Operationally-minded CTOs and COOs respond to MTTD and MTTR mapped against internal SLAs, security debt by team, and time-to-contain metrics that connect directly to operational continuity.

The fastest way to find out which type you're dealing with is to ask. Not in a security briefing, but in a separate conversation. What concerns you most about the business this quarter? What would keep you up at night if it went wrong? Those answers tell you what your dashboard should show.

Step 2: Anchor in business outcomes, not security outcomes

The single most common mistake in security reporting is presenting outputs instead of outcomes.

Compare these two statements:

"We patched 120 vulnerabilities in Windows this month."

"We patched a critical Citrix vulnerability that was externally exploitable before any damage was done. A similar vulnerability caused a competitor's revenue system to go offline for six hours last month, costing them an estimated $178,000 in employee downtime alone."

Both statements describe the same security work. Only one connects to something the board can act on or remember.

PwC's research across 4,042 executives in 77 countries found that 57% cite customer trust and 49% cite brand integrity as their primary reasons for investing in cybersecurity. They're not motivated by threat intelligence. They're motivated by not losing what they've built. Lead with that.

Step 3: Use honest ROI math, and know when to stop

There's a version of breach cost math that works, and a version that backfires. The version that works is specific, bounded, and tied to a real action your team took.

"We blocked 168 phishing emails in November. The average cost of a phishing-origin breach is $5 million, with phishing as the primary entry point. We stopped 168 entry points." That's credible. It's falsifiable. It connects to a known number.

The version that backfires multiplies a Gartner industry figure across every vulnerability you've ever touched and presents a number that nobody in the room believes. When an executive laughs at your ROI claim, you've lost their trust for the next three briefings.

Beyond breach prevention math, there's another ROI frame that's often more credible: manpower savings. If your security platform saves ten analyst hours per week, that's directly measurable. As one practitioner noted: "if you can show how your stack saves manpower hours, or even the need to hire more people, that is definitely something that business leaders understand and care about." That calculation doesn't require any assumptions about breach probability.

Step 4: Benchmark against competitors

Executives understand competitive positioning intuitively, even when they don't understand security. Tools like SecurityScorecard and Bitsight rate organizations against others in their industry. Practitioners consistently find that this framing lands: "Execs are very interested in how you measure up against your competitors."

Pull your industry's average security score, show where you sit, and frame it as a business risk, not a technical one. If your organization scores below the industry median, you're carrying more risk than peers who compete for the same customers. If you score above it, you have a story about trust and brand integrity that sales teams can actually use.

Step 5: Negotiate KPIs with the board, don't present them

The most underused tactic in board security communication is asking instead of telling. One practitioner with board-level experience put it simply: "It's not what you want to show. It's what the board wants the CISO to achieve."

Most CISOs walk into a board meeting with a pre-built dashboard and spend the time presenting it. The more effective approach is to have at least one conversation where you ask the board what they want you to accomplish this year, and then build your metrics around those answers. You're not running a product discovery session, but the principle is the same: understand the customer before you build the product.

The output of that conversation becomes your KPIs. When the board has agreed on what success looks like, every subsequent briefing becomes a progress report on something they already care about. That's a very different dynamic than showing them a list of things you think are important.

The Metrics That Actually Land, and the Ones That Don't

Based on what practitioners share across r/cybersecurity, r/ciso, and real CISO experience, here's what consistently works in board-level reporting:

Metrics that work:

• Time to detect and contain incidents mapped against your internal SLAs (operational language)

• Percentage of critical business processes with tested recovery plans (resilience language)

• Phishing and vishing simulation fail rates with month-over-month trend lines (human risk language)

• Security debt by team (engineering accountability language)

• Industry security score versus competitors (competitive language)

• Manpower hours saved through automation (efficiency language)

Metrics that consistently don't work:

• Raw vulnerability counts without any exploitability context

• CVE scores without business impact mapping

• Framework compliance percentages (NIST CSF scores, ISO 27001 Annex A coverage) presented to non-technical audiences

• Inflated ROI projections that can't survive a single follow-up question

• MITRE ATT&CK mappings in board presentations (practitioners are explicit: "that's where I lose exec interest")

One commenter summarized what most C-suites actually see when they look at a security dashboard: "Red bad, green good, next." You can be frustrated by that or you can design your reporting around it. The teams getting budget are doing the latter.

The Human Risk Conversation: Why Vishing Is Your Best Entry Point to the Board

Voice phishing and deepfake attacks have become the most board-accessible topic in the security briefing over the last 18 months. Not because the technology is new, but because it's visceral, personal, and increasingly hard to dismiss as an IT problem.

The numbers create urgency on their own. Voice cloning requires just 20 to 30 seconds of source audio. AI assembles a full phishing campaign in five minutes. Vishing incidents jumped 1,633% between Q4 2024 and Q1 2025 (Bluefire Redteam data). One security team built a deepfake of their CEO in 90 minutes using free tools and a public LinkedIn video.

But numbers alone don't land the way a story does. In August 2025, Cisco disclosed a breach that started with a single vishing call. An attacker posed as an authorized colleague, convinced a Cisco representative to grant access to a third-party cloud CRM, and exported customer data including names, email addresses, phone numbers, and account metadata. No sophisticated exploit. No zero-day. One phone call.

The downstream costs described in the post-incident analysis are written in exactly the language boards understand: regulatory exposure under GDPR and UK data protection law, civil liability from customer class actions, operational distraction from the triage and investigation process, share price impact in the 24 hours following disclosure, and long-term trust deficit affecting contract renewals in regulated sectors.

Practitioners running internal vishing simulations are seeing something that should make any board pay attention: even with training in place, cloned CFO voices used in wire transfer scenarios have a 40 to 50 percent success rate. And when simulations use real executive voices instead of generic voice actors, response rates triple.

One practitioner's recommendation for making this land in a board room: show the executive a deepfake of themselves, or play a simulated vishing call using their own voice. Nothing converts a skeptic faster. It moves the conversation from abstract threat modeling to something personal in about 90 seconds.

The board demo that works best, according to practitioners doing this in the field: have the CEO record a short video saying "If you get a call from me asking for anything sensitive, verify it through your department head first." That single policy anchor, delivered by the executive themselves, does more than any training module.

Top 5 Platforms for Voice Phishing (Vishing) Awareness Training

Not all vishing simulation tools are equal. A voicemail drop is not a live conversation. An AI agent that reads from a script isn't the same as one that adapts in real time. The platform you choose affects both the realism of your simulations and the quality of the data you can bring to board-level reporting.

1. Brightside AI

Brightside runs live adaptive AI vishing calls where the agent responds dynamically in real time, not from a script, and adapts its approach based on how the conversation unfolds. Its Hybrid Attack feature runs a coordinated phishing email plus AI voice call as a single campaign, mirroring how real multi-channel attacks work. Admins can clone executive voices from a one to two minute recording, and an AI-powered strategy recommender suggests social engineering tactics with explanations of why each one works psychologically.

For board communication specifically, Brightside's Admin Portal surfaces fail rate trends across 7, 30, and 90-day windows, answer rates, and median call durations with month-over-month tracking. The NIST-aligned difficulty scoring lets you map program improvement against a recognized external benchmark, which adds credibility when presenting results to people who aren't security professionals. It's part of a broader platform covering email phishing, vishing, deepfake simulations, and interactive courses.

Where Brightside stands apart from the broader suites: its simulation design depth, particularly for AI-era attack rehearsal across email, voice, and deepfake channels, is more explicitly developed than most platforms that treat vishing as one feature among many.

Key metrics for board decks: failed rate trend, answer rate, NIST-weighted simulation failure rate, month-over-month improvement.

2. Jericho Security

Jericho offers live adaptive AI conversations that adapt in real time, voice cloning, and deepfake video simulation across email, SMS, voice, and deepfake channels in a single platform. Their deepfake simulation capability is confirmed across synthetic voice calls, AI video impersonations, and synthetic identity scenarios. They also provide behavioral risk dashboards with role-level analytics and risk scores by team, so reporting capability is more developed than a pure simulation-only tool.

Their clearest strength is rapid AI-generated phishing pretexts and conversational multi-channel realism. Where Brightside has an edge is in explicit hybrid attack design (a single template that coordinates a voice call and phishing email simultaneously) and the admin-side workflow for building and previewing vishing simulations before launch. Jericho is well-suited for organizations with sophisticated red team needs and those that want multi-channel attack coverage including deepfake video in one platform.

3. Hoxhunt

Hoxhunt includes self-serve vishing simulations with role-based targeting and deepfake voice cloning as part of its broader human risk platform. Its strongest differentiator is adaptive difficulty: the platform continuously adjusts the difficulty of simulations based on individual user performance, and it connects threat intelligence into the phishing realism engine in a way that keeps simulations current. SOC workflow integration is a genuine capability rather than a marketing claim.

The vishing simulations are browser-based rather than live outbound AI phone calls, which matters for executive demonstration purposes. The live AI call that makes someone's stomach drop when they hear their own CFO's voice asking for a wire transfer is a different experience from a browser-based simulation. Good platform for organizations already invested in the Hoxhunt ecosystem or prioritizing adaptive difficulty and SOC integration over vishing depth.

4. KnowBe4

KnowBe4 offers Vishing Security Tests (VST) as automated voicemail-style simulations available from Gold tier and above, and Callback Phishing (an email containing a phone number the user calls in to) at Diamond tier only. Neither is a live outbound AI conversation in the way Brightside or Jericho work. KnowBe4 also integrates with Mirage, a third-party AI-driven vishing platform, via their KSAT console, but this is an add-on integration rather than a native capability.

Where KnowBe4 genuinely wins: content scale (25,000+ phishing templates), automation maturity through AIDA, language coverage across 35+ languages, and deep integration with compliance frameworks. For organizations that need the broadest possible awareness training library with strong reporting and want vishing as one feature among many, KnowBe4 is a defensible choice. For organizations that need live adaptive vishing realism and voice cloning as a core capability, the native tooling isn't there.

5. SoSafe

SoSafe simulates attacks across email, SMS, QR codes, social media, phone-based vishing, and USB drops as part of a multi-channel offering. Their "Danger Lab" provides a self-service AI-powered environment where users can input their own details and experience a personalized simulated vishing or smishing attack, which is more sophisticated than a static template library. Vishing simulations run as phone-based attack scenarios but are not live outbound AI calls in the Brightside or Jericho sense.

SoSafe's strongest differentiators are behavioural science underpinning (they have a PhD cognitive psychologist on staff and frame the entire training approach around behaviour change rather than compliance), GDPR and privacy-by-design positioning (they process data exclusively within the EU), strong European market scale at 5,500+ organisations, and NIS2, ISO 27001, and HIPAA compliance coverage. For European buyers, particularly those in regulated industries navigating NIS2, SoSafe's regional positioning and compliance depth are genuine advantages. Vishing is a channel in a broader platform rather than a standalone deep capability.