Back to @tgroenwals's timeline
tgroenwals shared this post · Apr 22
LinkedIn
Jitender Arora
Jitender Arora

I’ve spent over two decades in cybersecurity.

Alongside CISOs.
Advising boards.
Sitting in incident rooms.
And leading as a CISO myself.

And in all that time, the same feedback follows this profession everywhere.

“Too technical.”
“Speak business language.”
“The board won’t understand that.”

I’ve heard it so often it has become background noise.

And I want to challenge it.

Not reject it.
Challenge it.

And this isn’t just my view.

In mentoring conversations with CISOs
and those aspiring to step into the role,
this comes up again and again.

Different organisations.
Different industries.
Same tension.

Yes, a CISO needs to communicate in a way that lands.

That’s not the argument.

The argument is this:

Cybersecurity problems are technical.

Not exclusively.
But fundamentally.

And when we keep asking CISOs to simplify everything, something important gets lost.

Not intentionally.
Not through lack of integrity.

But because there is only so much truth that survives translation.

Severity gets softened.
Complexity gets smoothed.
The uncomfortable becomes comfortable.

And the board hears a version of the risk.

Not the risk itself.

That’s not a CISO problem.

It’s a system problem.

And we need to call it that.

There is a second issue.

We place the entire burden of translation on the CISO.

The assumption is that executives and boards are the fixed point.

The CISO must always move toward them.

But when did we stop asking it to work both ways?

Boards and executives have a responsibility too.

Not to understand every technical detail.

But to develop a meaningful understanding of cyber risk.

What it is.
What it means for the business.
What questions to ask.
What answers should concern them.

Because if that understanding only exists on one side of the table,
the conversation will always stay surface level.

No matter how well the CISO translates.

And here is the moment that exposes everything.

Not the boardroom presentation.
Not the quarterly report.

The incident room at 2am.

When something has gone wrong.
When decisions need to be made with incomplete information.
When there is no time.

That’s when technical depth matters.

A CISO who has moved too far from the technical reality
of what they are protecting
will struggle in that moment.

Not in the slides.

In the crisis.

The CISO’s role was never just translation.

It is to defend the organisation.

Sometimes that means speaking the language of the boardroom.

Sometimes it means saying something
that cannot be simplified.

Sometimes it means holding the technical truth even when the room isn’t ready for it.

Because a CISO who only tells people
what they can comfortably hear
is not defending the organisation.

They are narrating it.

And narration doesn’t prevent breaches or manages the cyber crisis.

Leadership does.

#TheCISOMind

1 / 5
307
Mike Clarke Cute graphic but.....Lets look at this from a Board Member's perspective. Without an IT background, most don't fully understand all of the cyber data as it is presented, so they apply their logic and business acumen. A combination of inputs such as Management's degree of confidence, similarity/difference to the messages on other Boards, the view of internal and external auditors, and the level of certification. IMO, it is the role of the CIO/CISO to speak about risk, impact and economic consequence. Apr 22
🛡️ Kyle H. Sometimes this sounds like American millennials expecting the rest of the world to learn their slang, then calling everyone else broken when they don’t.

Maybe business should evolve some. Sure.

But maybe cybersecurity has a lot more evolving left to do than it wants to admit.

That possibility deserves air. Apr 21 2 likes