As information security becomes a more important topic of interest for corporate boards, CISOs are increasingly asked to step up and brief boards on cyber issues -- which means they need to become better communicators, and have a broader understanding of business needs.
According to a recent survey by Veracode and the New York Stock Exchange, 80 percent of boards discuss cybersecurity at nearly every board meeting.
"It's become a really serious issue," said Chris Wysopal, CTO and CISO at Veracode.
Despite the growing interest in cybersecurity, boards still have a long way to go before they're fully educated about cybersecurity.
According to a June study by Fidelis Security and the Ponemon Institute, 26 percent of board members admit to "minimal or no knowledge" about cybersecurity, and only 33 percent say that they are "knowledgeable" or "very knowledgeable."
[ ALSO ON CSO: How CSOs can help CIOs talk security to the board ]
This lack of education is combined with an over-inflated view of their company's security -- 70 percent of board members said that they understand the security risks to the organization, but only 43 percent of IT security professionals agreed that the board understood the security risks to the organization..
Only 18 percent of IT security professionals rated their companies' cybersecurity governance practices as very effective -- compared to 59 percent of board members.
This is a difficult communications gap that needs to be addressed on both the board level and by CISOs themselves.
But that doesn't mean that boards want to hear about all the technical details of the latest security technologies.
"Boards want the CISO to give them risk metrics and peer benchmarking," Wysopal said. "They want to know how they're doing related to like companies. Those are all good things that are going to help boards understand the true risk of cybersecurity."
Instead of focusing on vulnerabilities, or tools deployed, CISOs should focus on easy-to-understand metrics that show how effective the company is at managing security, said Matt Alderman, vice president of strategy at Tenable Network Security.
"This requires top line metrics associated with impacts to the business," he said. For example, that could be the amount of money lost due to security failures.
Operational metrics could also be useful, he said, such as reducing the potential attack surface.
"My job is to facilitate the awareness of risk and be in a position of educating my leadership about what risk they are willing to accept," said Paul Calatayud, CISO at Surescripts.
Surescripts processed 6.5 billion transactions last year for 98 percent of U.S. pharmacies, so the worst-case cyberrisk scenarios are pretty bad.
Despite that, Calatayud said he doesn't pitch new security projects to the board based on improving security, but based on increasing business value.
Paul Calatayud, CISO at Surescripts
For example, medical fraud has an impact on the company's brand and reputation, so Calatayud started out by getting the marketing department to understand the net benefit of that particular project.