All posts
Frameworks for Security Leaders

You Never Get Money from the Board

Assaf Keren|May 27, 20267 min read

A peer CISO sent me his board deck last year and asked for feedback. The third slide had a chart of competitor breaches. The fifth slide had an industry benchmark for security spend as a percentage of revenue. The seventh slide showed his current spend below the benchmark. The eighth slide had the ask. Two and a half million more dollars, with a paragraph of justification.

I told him the deck would not get him the two and a half million. He pushed back. I told him the deck would not have gotten him fifty thousand. The slides did not just fail to make the case. They were aimed at the wrong room.

This is one of the most expensive mistakes senior security leaders make. It looks like preparation and reads like rigor and it almost never works.

The Board Is Not the Funding Mechanism

Here is the thing nobody tells a first-time CISO before their first board appearance.

The board does not allocate operating budget. The board ratifies a plan that the CEO and CFO have already built. The CEO sets the operating envelope. The CFO holds the pen. Your budget conversation happened weeks before the board ever saw your slide, and if you have not won it in those rooms, no chart of breaches will move a director.

Boards do many things. They hire and fire the CEO. They set the strategic direction. They calibrate risk appetite. They oversee fiduciary discipline. They do not write checks to your function. They are not your funding source. They are not even your funding influencer in the way most CISOs think they are.

If your operating budget is set inside the company, then the rooms that matter are the ones where the operating budget gets set. That is your CFO's annual planning cycle. That is your CEO's portfolio review. That is the bilateral with finance the week before the board sees anything. The board appearance is downstream of all of that.

The Other Delusion

There is a second version of the same error that is even harder to break.

Some CISOs believe that if they cannot get the CEO and CFO to take security seriously, the board will. They construct the board appearance as an escalation. The pitch is implicit. Look at what your senior management is failing to fund. Make them.

This is the delusion that ends careers.

Boards do not enforce operational priorities on management. That is not their lever. A board that takes a CISO's escalation at face value and starts pressing the CEO has just signaled that the CISO cannot work with the CEO. The CEO finds out within forty-eight hours. The board finds out within ninety days that they backed the wrong horse. You will not be there to see it.

The board is the room above your CEO, not the room behind your CEO. If you are using the board to win an argument with your CEO, you have already lost it.

What the Board Is Actually For

Once you accept what the board is not for, the question becomes what it is for. Three things.

The board is for risk articulation. Your job in front of directors is to make the risk picture real. Not the threat list. Not the breach list. The risk picture. What could happen, what would it cost, what are we doing about it, what residual are we accepting and why. Directors have fiduciary obligations they cannot discharge without you. Your value to them is making those obligations concrete enough that they can do their job. If your board slide is a heat map with no quantification, you are not making their job easier. You are making it look like security is a vibe.

The board is for trust calibration. Every appearance you make in front of the board is the audit committee chair quietly asking themselves whether they would back you in a crisis. That is the actual measurement. Not whether your deck is polished. Not whether your KPIs are green. Whether, when the bad thing happens at 3am six months from now, the chair will pick up the phone with the assumption that you have it handled. That trust is built one board meeting at a time, and it is built by the substance, not the showmanship.

The board is for governance frame-setting. The risk appetite the board sets in your presence becomes the frame the CEO and CFO will reference for the next six to twelve months. You do not control what they say. You shape what is in the room when they say it. A CISO who treats the board appearance as the chance to anchor the company's articulated risk appetite, with the directors as the voice of legitimacy, is doing the actual political work of the role. That work compounds. Budget conversations get easier later because the frame is already set. You are not pitching for money. You are populating an envelope the board already endorsed.

What This Changes About Showing Up

Once you stop walking into the board room with a budget pitch in your back pocket, your preparation changes.

The slides change. The breach chart and the spend benchmark come out. The risk picture comes in. The narrative of what we are taking seriously and what we are accepting comes in. The quantification, even rough, comes in. The places where you are uncertain come in, because directors who can smell evasion will not extend trust to a CISO who pretends not to be uncertain.

The questions you answer change. You stop preparing for "why do you need more money" and start preparing for "what is your honest read of the risk and your honest read of how we are doing." The latter is a much harder question, and it is the one that is actually being asked.

The relationships change. Your work between board meetings is not preparing the next deck. It is sitting with the audit committee chair, with the lead independent director, with the directors who own the risk lens. Coffee. A quarterly check-in. Five minutes after a meeting. The trust calibration that the formal session reflects has to be earned in the gaps between formal sessions.

Your peers in the room change too. The CFO is your closest ally in the boardroom, not your competitor for attention. The general counsel is your second closest. You are running parallel functions with overlapping risk languages. The CISO who shows up to the board having coordinated risk framing with the CFO and GC walks in three times stronger than the one who shows up solo with a pitch.

The Aphorism

A senior CISO mentor told me this years ago and I have never forgotten it. You never get money from the board.

It sounds like cynicism. It is not. It is the cleanest one-line correction to the most common career-limiting move a CISO can make. The day you stop walking into the board room hoping the directors will fix your budget is the day you start using the board for what the board is actually for.

The directors will give you something. They will give you legitimacy. They will give you a calibrated risk appetite. They will give you trust that compounds over years and follows you to your next role. They will give you, eventually, a seat on a board of your own.

They will never give you a check.

Spend your political capital where the checks are written.

Get new posts in your inbox

Frameworks and frontline lessons for security leaders. No spam, unsubscribe anytime.