How Board Members Think About Cyber Risk And What CISOs Should Tell Them
Help Net Security, Wednesday, November 26th, 2025
In this Help Net Security video, Jonathan Trull, EVP & CISO at Qualys, discusses which cybersecurity metrics matter most to a board of directors. Drawing on more than two decades in the field, he explains how boards think about their duty to oversee risk and how CISOs can present information in a way that supports that duty.
Jonathan outlines why boards want to understand risk appetite, how loss scenarios shape those discussions, and why no single metric can answer every question. He describes how signals from identity systems, infrastructure, cloud resources, and application security tools can be brought together to form a risk index for the organization. He then explains how to translate that index into meaningful probabilities board members can use to judge business impact.