On the other hand, risk tolerance needs to be a guided discussion around a particular objective or a risk scenario, where a CISO can develop a hypothesis. “If you can be explicit, if you can describe it well, then you can really have a good conversation to get everyone on the same page as to what that risk is and what you need to do about it.”

The recommendation is for CISOs to consider the potential organizational ramifications and wider public outrage of an incident and avoid trying to get board members to give guidance on the technical detail. “Unless they are a technical board member, they’re looking to us as CISOs to really understand and control that,” says Goerlich.

The risk conversation

To lead the risk conversation and work towards alignment, CISOs need to quantify cyber risk and develop mature risk reporting practices, according to Mary Carmichael, director of strategy, risk, and compliance advisory at Momentum Technology. Carmichael, who as a member of ISACA’s CRISC certification committee, is at the forefront of developing risk frameworks, says using data from industry sources like the IBM cost of data breach report helps in understanding the probability and potential impact of cyber risks. “This is crucial for sectors like healthcare and education, which are often under-invested in cybersecurity.”