Skip to main content
Daniel J Glover
Back to Blog

Communicating Crisis to the Board

10 min read
CybersecurityCISOBoard CommunicationCrisis Management

This is Part 6 of a 7-part series on Cyber Resilience for CISOs. Read the previous parts on resilience thinking, threats, zero trust, supply chain, and incident response for context.

A major security incident is a leadership moment. How the CISO communicates during crisis - to the board, executives, and stakeholders - can define their career and their organisation's trajectory.

This is not about spin or managing perceptions. It is about providing the information leaders need to make decisions, building confidence through competence, and turning a crisis into an opportunity to demonstrate preparedness.

As I discussed in The Modern CISO as Business Partner, security leaders must increasingly operate at the executive level. Nowhere is this more apparent than during incident communication.

What Boards Actually Need

During a security incident, board members have specific concerns. Understanding these helps you provide the right information.

Business Impact

Directors think in business terms. They want to understand:

  • What operations are affected?
  • What is the financial exposure?
  • Are customers, partners, or data at risk?
  • What are the regulatory and legal implications?
  • How does this affect the organisation's reputation?

Lead with impact, not technical details. "Our payment processing systems are offline affecting 2,000 transactions per hour" communicates more than "We have detected lateral movement from the compromised endpoint."

Response Status

Boards want to know the situation is under control:

  • Who is managing the response?
  • What actions have been taken?
  • What is the current containment status?
  • What external resources are engaged?
  • What is the timeline for resolution?

Demonstrate that competent people are executing a clear plan. Uncertainty about response is more alarming than uncertainty about the attack itself.

Decision Requirements

Some decisions may require board involvement:

  • Should we pay a ransom?
  • Should we disclose publicly before required?
  • Should we shut down operations that appear unaffected?
  • Do we need to notify regulators ahead of legal requirements?

Prepare these decisions clearly. Present options with implications. Make recommendations but respect governance boundaries.

Forward Looking

Even during crisis, boards think about the future:

  • How do we prevent recurrence?
  • What systemic issues does this reveal?
  • What investments are needed?
  • How should we communicate externally?

Be prepared to address these questions, even if detailed answers wait until after the incident.

Communication Principles

Certain principles apply regardless of incident severity.

Lead with What You Know

Avoid the temptation to speculate or provide false precision. During active incidents, information is incomplete. Acknowledge uncertainty while conveying what is confirmed.

Effective: "We have confirmed that attackers accessed the customer database. We are still determining which records were affected, but we have contained the access point."

Ineffective: "We think maybe some customer data might have been taken, but we're not really sure."

The first acknowledges uncertainty while demonstrating progress. The second inspires no confidence.

Be Proactive

Do not wait for the board to ask. Establish regular update cadences - perhaps hourly during acute crisis, then daily as the situation stabilises. Let stakeholders know when to expect updates.

Proactive communication builds confidence. Reactive communication suggests you are overwhelmed.

Separate Fact from Assessment

Clearly distinguish between confirmed facts, preliminary analysis, and speculation:

Facts: "Attackers gained access on 15 December through a compromised vendor account."

Assessment: "Based on current evidence, we believe they were present for approximately five days before detection."

Speculation: "It appears they may have exfiltrated data, but we have not confirmed this."

Board members can handle uncertainty. What they cannot handle is discovering that information presented as fact was actually speculation.

Provide Context

A breach affecting 10,000 records means different things depending on context. Help the board understand relative significance:

  • How does this compare to typical incidents in your industry?
  • Is this within or beyond what your security programme was designed to handle?
  • How does your response compare to best practice?

Context prevents both under-reaction and over-reaction.

Own the Narrative

If information will eventually become public - through regulatory disclosure, media coverage, or attacker publication - it is better for the board to hear it from you first.

Do not let the board be surprised by external coverage. Brief them on what is likely to become known and when.

Structuring Crisis Updates

A consistent format helps board members process information during stressful situations.

Executive Summary

Begin with a three to four sentence summary:

  • What happened (current understanding)
  • Current status (contained, investigating, recovering)
  • Business impact (what operations are affected)
  • Key actions (what is being done)

Board members should understand the situation in 30 seconds.

Situation Overview

Provide more detail on:

  • Timeline of events
  • Attack vector (if known)
  • Scope of compromise
  • Data and systems affected

Use clear language. Avoid jargon. If technical terms are necessary, explain them.

Response Actions

Document:

  • Containment measures taken
  • External resources engaged
  • Investigation status
  • Recovery progress

Show that response is methodical and competent.

Business Impact Assessment

Quantify where possible:

  • Operational disruption (systems down, transactions affected)
  • Financial impact (costs incurred, revenue affected)
  • Customer impact (data exposed, service disruption)
  • Regulatory exposure (notification requirements, potential penalties)

Even preliminary estimates help leaders understand magnitude.

Decisions and Recommendations

If board input is needed:

  • Present the decision clearly
  • Outline options with pros and cons
  • Make a recommendation
  • Identify time constraints

Respect that directors may not have deep security expertise. Frame decisions in terms they can evaluate.

Forward Look

Conclude with:

  • Next steps in response
  • When the next update will be provided
  • What is needed from leadership

Leave the board knowing what comes next.

Common Communication Mistakes

Avoid these patterns that undermine confidence.

Technical Jargon

"We detected C2 beaconing from a compromised endpoint, suggesting APT activity with potential for lateral movement across our domain-joined infrastructure."

This means nothing to most board members. Translate:

"Attackers have established remote control over one of our computers and may be able to move to other systems. We are isolating affected areas."

Excessive Reassurance

"Everything is under control, there's nothing to worry about, we've got this handled."

This rings hollow during active incidents. If everything were fine, you would not be briefing the board. Acknowledge the seriousness while demonstrating competent response.

Blame Shifting

"This happened because the vendor failed to patch their system."

Even if true, blame shifting suggests deflection rather than ownership. Focus on what you are doing, not who is at fault. Blame analysis belongs in the post-incident review.

Defensive Posture

"We did everything we could have done. No security programme can prevent all attacks."

True but unhelpful during crisis. Defensiveness suggests insecurity about your performance. Demonstrate competence through action, not explanation.

Information Dumping

Presenting every technical detail overwhelms rather than informs. Curate information for the audience. Technical details belong in supporting documentation for those who want depth.

Building Pre-Incident Relationships

Crisis communication is easier when you have established relationships and credibility before the crisis.

Regular Board Engagement

CISOs who only appear before the board during incidents start from a disadvantage. Regular reporting on security posture, risk trends, and programme progress builds familiarity and trust.

As explored in The Modern CISO as Business Partner, effective security leaders engage at the board level routinely, not just reactively.

Scenario Discussions

Discussing hypothetical scenarios during calm periods prepares both you and the board for crisis:

  • "If we experienced a ransomware attack affecting core systems, here is how we would respond..."
  • "Our most significant third-party dependency is X. If they were compromised, our exposure would be..."

When crisis comes, the conversation is not starting from scratch.

Relationship with Directors

Know your board members. Understand their backgrounds, concerns, and communication preferences. Some want detail; others want only headline information. Some have technical background; others are purely business-focused.

Relationships built before crisis create trust that supports you during crisis.

Special Situations

Certain scenarios require adapted communication approaches.

Ransomware with Payment Decision

If payment is being considered, the board may need to be involved in that decision. Present:

  • The ransom demand and what it includes
  • The status of backup restoration alternatives
  • Legal and sanctions considerations
  • Insurance coverage and implications
  • Recommendation with reasoning

This is a business decision with legal, ethical, and practical dimensions. Respect governance while providing the information needed.

Regulatory Notification

When regulatory disclosure is required, communicate:

  • What notifications are required and to whom
  • What timelines apply
  • What information must be disclosed
  • Potential regulatory response

The board may need to approve notification content or timing.

Public Disclosure

If external disclosure is necessary or advisable:

  • Recommended messaging and timing
  • Who should deliver the message
  • Expected media and stakeholder response
  • Preparation for follow-up questions

External communication often requires CEO or board chair involvement. Prepare them adequately.

Ongoing Uncertainty

Some incidents take weeks or months to fully understand. Communicating during extended uncertainty requires:

  • Regular updates even when little has changed
  • Clear explanation of why investigation takes time
  • Interim measures to protect the organisation
  • Managing expectations about timeline

Silence breeds anxiety. Communicate even when you have little new to report.

Quick Reference: Crisis Communication Checklist

Use this checklist when preparing board communications during incidents:

Before the Briefing:

  • [ ] Confirmed facts distinguished from assessment
  • [ ] Technical jargon eliminated or explained
  • [ ] Business impact quantified where possible
  • [ ] Timeline of events documented
  • [ ] Response actions summarised
  • [ ] Decisions requiring board input identified
  • [ ] Next steps and update schedule planned

During the Briefing:

  • [ ] Lead with executive summary (30 seconds)
  • [ ] Present information in structured format
  • [ ] Acknowledge uncertainty without undermining confidence
  • [ ] Make clear recommendations
  • [ ] Provide context for significance
  • [ ] Allow questions and address concerns

After the Briefing:

  • [ ] Document decisions made
  • [ ] Clarify any follow-up required
  • [ ] Confirm next update timing
  • [ ] Distribute supporting materials as appropriate

The Leadership Opportunity

Crisis reveals character. How you perform under pressure - your composure, competence, and communication - shapes how the board perceives you long after the incident concludes.

CISOs who communicate effectively during crisis often emerge with enhanced credibility. They have demonstrated that they can handle the moments that matter most.

This is not about performing confidence you do not feel. It is about genuine preparation that creates genuine capability. When you have tested your response, know your board, and have practised communication, confidence follows naturally.

What Comes Next

We have covered why resilience matters, what threats you face, how to architect for resilience, how to manage third-party risk, how to respond to incidents, and how to communicate during crisis.

Part 7 synthesises everything into a practical roadmap for 2026. It is the action plan you can take into the new year.

Strengthening Executive Communication

Building effective board communication requires developing new skills and establishing relationships before crisis strikes. My IT management services help security leaders develop executive communication capabilities, prepare for board presentations, and build the relationships that support effective crisis response.

Get in touch to discuss how to strengthen your executive communication.

Previous: Part 5 - The Incident Response Reality Check

Next: Part 7 - The CISO's Resilience Roadmap

Share this post

DG

Daniel J Glover

IT Leader with experience spanning IT management, compliance, development, automation, AI, and project management. I write about technology, leadership, and building better systems.

Related Posts

31 December 2025

The Incident Response Reality Check

Part 5 of 7: When things go wrong, theory meets reality. Learn what works in incident response and how to build capabilities that perform under pressure.

8 February 2026

AI autonomous ransomware in 2026

AI is enabling fully autonomous ransomware pipelines. 73% of security professionals say AI-powered threats already have significant impact on defences.

29 January 2026

Securing AI Agents Practical Guide

Practical steps for securing AI agents like ClawdBot in production. From network isolation to credential management - real guidance from hands-on experience.

Let's Work Together

Need expert IT consulting? Let's discuss how I can help your organisation.

Get in Touch