In this episode of Threat Vector, host David Moulton speaks with Abby Adlerman, CEO of Boardspan, about how boards approach cybersecurity oversight. Drawing on decades of experience advising Fortune 100 companies and non-profits, Abby shares the OARS framework—Oversight, Accountability, Risk, and Strategy—as a practical guide for engaging boards on cyber risk. She explains how CISOs can balance detail with clarity, meet board members where they are, and frame cybersecurity as a strategic business enabler rather than a cost center. Listeners will learn how to prepare for meaningful board discussions, avoid common pitfalls, and strengthen business resilience through governance, storytelling, and crisis preparedness.
Protect yourself from the evolving threat landscape – more episodes of Threat Vector are a click away
Transcript
David Moulton: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought Leadership for Unit 42.
Abby Adlerman: How do I make sure my board's paying attention? How do I support my CEO in making sure that the board's paying attention? But how do I not overdramatize it? How do I give them the assurances, the confidence that we're on it but, at the same time, not being afraid to ask for help? Today I'm speaking with Abby Adlerman, CEO and founder of Boardspan. With a background that spans Wall Street, executive search, board governance, and entrepreneurial leadership, Abby has advised hundreds of corporate and nonprofit boards, from Fortune 100 giants to mission-driven early stage ventures. Today we're going to talk about how boards are evolving to meet modern cybersecurity challenges and how cybersecurity leaders can structure their communication and collaboration to align with the board's strategic priorities. We'll explore the OARS framework and how it helps leaders and board members row in the same direction. Why is that important? Because cybersecurity is no longer just a technical concern. It's a board-level issue that impacts business resilience, brand reputation, and regulatory exposure. And, yet, many CISOs still struggle with how to effectively inform and engage the board. Abby is here to help us bridge that gap. Abby, welcome to Threat Vector. I've been looking forward to this conversation for months, and I'm so glad that you're here today. Thanks. I'm glad also, David.
David Moulton: You've LED Boardspan for, what, over a decade. And, in that time, you've worked with hundreds of boards. And I recently saw you share some insights on LinkedIn about how boardroom expectations around cybersecurity are evolving. Can you talk about how the tone and the urgency around cyber risk have shifted maybe in the last few years, and what you think is driving that specific change?
Abby Adlerman: One of the things that we are commonly saying at Boardspan is the work of the board is hard and getting harder. And that's, frankly, the reason I started the company. And how do we see that? What's contributing to that are the same things, really, that you're talking about in the cyber area, which is the world's much more complex. It's -- we do business globally. We are much more reliant on technology. A lot of our actions and reactions are data-driven. And you and I both agree that it's not the data; it's the insights that come from the data. So it's just everything is moving at such a breakneck pace. People are throwing out Moore's law already, and that's what's making it so complicated. And it's a hard world for boards to keep pace with. But they don't have a choice. If you want to be on a board, you have to keep pace.
David Moulton: Today, we're going to be talking about how cybersecurity fits into boardroom conversations and why it matters, how it's changing, and how leaders can communicate more effectively. So, Abby, let's start with the OARS framework. You shared this idea with me during our prep call, and I actually thought it was really clever and easy to remember. Can you walk us through what each component means and then how you use that to structure your board-level conversations around cyber risk, that O-A-R-S.
Abby Adlerman: Absolutely. And it is -- it is one of my favorite things to talk about because we do try to simplify it, just to help give boards a bit of a grounding in how to think about their role and responsibility. So, as you mentioned, the acronym is O-A-R-S. Stands for oversight, accountability, risk, and strategy. Those are the four cornerstones of good board -- effective board performance and effective board governance. So, in this conversation, David, risk is the obvious place to start. And, although the work of risk has to be done in conjunction with all the other three cornerstones of good governance, I just want to be clear. It's not the board's job to manage the risks, cyber or otherwise. It's the board's job to provide that oversight and ultimately be accountable and think about how it affects the strategy. So that's how all the pieces of OARS come together. When it comes to risk in particular, we encourage boards to think about, first, the likelihood of a risk happening; second, the business impact of that risk; and, third, what are the mitigation plans that management has in place. So that's the oversight aspect. Again, the board doesn't mitigate the risk. They provide the oversight.
David Moulton: And how does that framework help CISOs when they're preparing maybe the messaging and how they're going to align what they're going to talk about with boards' expectations.
Abby Adlerman: Yeah. So the conversation with the CISO and the board is we can go in a lot of directions on that topic. I want to first start off by saying that the best way to use a board most often is as thought partners, allowing them to ask the hard questions, challenge your thinking, satisfy themselves that -- that you've really thought through all the possibilities and can figure out what are the more likely and the higher impact ones and what are ones that are, you know, maybe as -- as a CISO or somebody on your team, people are thinking about but are going to have less of a -- of an impact on the organization and maybe don't even need to be discussed at the board level. They're just confident they're being taken care of. You don't want to draw the board into the weeds is sort of the point I'm trying to make on that. But, you know, in terms of the conversation that a CISO does want to have with their board, it really is about finding that balance. You don't want the board to have their head too far in the clouds and not care about it and say, Not my problem, because ultimately it could be; nor do you want them coming in and checking every line of code you've written.
David Moulton: I was just on a conversation with another CISO, and he was talking about trying to find the right story to tell and the right level. And, you know, if you're at the firewall rules, too deep. But, if you're, you know, telling a story and you're using too much humor, maybe that's not serious enough. And so it sounds like this framework, while not necessarily the way he described it and the way that you're talking about approaching things, actually really works well to give that -- that thinking partner -- I actually really like that, by the way. As you said that, I was like, that is a -- that is a crafty way of thinking about this really smart group of invested people but to come back and help them understand what risks you're accepting, what risks you're not accepting; and then, if you're not accepting it, what are the controls that you have confidence in that you're going to be able to deploy against those risks that you don't accept. Are boards asking about the actual cyber risk posture? You know, from your experience, is that something that they're -- they're talking to CISOs about? Or is that not quite the right language to go into a board conversation?
Abby Adlerman: Yes. So many are. And -- and, candidly, it's going to vary a lot, both by industry as well as board member expertise. So, when I say by industry, you know, think about are the core assets digital and the impact of a hack potentially being existential to our business. Those -- those board members and that CISO are going to think about it a little bit differently than a physical products company. I mean, you know, obviously no one wants a breach of any sort. For a physical products company, it can be painful, embarrassing; but it might not put them out of business, whereas for other types of businesses, particularly those that are, you know, in software and data gathering, etc., you know, they -- if you're putting your customers and your business partners at extreme risk, that can be really devastating. So it does -- that's when I say depends upon the industry and the business you're in. As far as the directors themselves, look. Some may be super sophisticated about cybersecurity and really understand it because they used to work at a cybersecurity company, or they've gone and done their own deep education around it. Others are going to take their insights from you as the CISO, from their fellow board members, or what they're reading. And so they're not at the same level of savvy. And figuring that out is so important to success. So I think of storytelling as another way to think about it is case studies, giving some examples. And my first piece of advice around that is to make it relevant. If you do tell a story or use some case study that just isn't part of something that's realistically going to happen to our company, then you're kind of signaling you can tune out and go check your Facebook during this part of the meeting. And you don't want to signal that. You want to keep them engaged by keeping it real. The second thing is to meet the board members where they are, which is something we talk about all the time at Boardspan. And that means doing your homework about your board in terms of their level of sophistication and how much they're likely going to want to engage in their comfort in engaging in this sort of daunting topic of cybersecurity. Some may really surprise you and be super fluent and -- and, you know, sort of want to ask some fair but tough questions. Others may need just the core basics explained to them. It's not uncommon because of how boards are built that you'll find that you've got a couple of cohorts, different people that can talk at different levels of savvy about these issues. And, if that happens, my advice is go to your CEO in advance and talk a little bit about that and offer, hey. Maybe we have an optional pre-meeting or post-meeting session for those board members who want to go deeper or those board members who need the education. And, as a CISO, that gives you a chance to work with a smaller group of board members. Again, meet them where they are is my advice.
David Moulton: Abby, you've mentioned that you've worked with a lot of CEOs. And you said, you know, in some of those situations where you've got two cohorts within your board, those that are maybe a little bit more technically savvy and maybe those that need some education, you might work with the CEO ahead of time to get that education or that follow-up. Are there other roles that the CEO can play in helping support those conversations at that board level?
Abby Adlerman: Yeah, yeah. Absolutely. And the CEO most of the time will have a high-level of influence on setting the agenda for the board meeting, and so they can make space for this conversation. And they can also, if they feel like it doesn't need board attention or have some concerns about bringing the board too far in the weeds, they might, you know, sort of put some blockers up around it. So knowing where your CEO is and how much he or she thinks the board needs to know about it is the great place to start. One reason that -- that these topics can get on the agenda is going back to the cornerstone issues I raised in the beginning are oversight. And so the CEO knows that the board has that oversight responsibility and wants to help them fulfill it because, ultimately, both management and the board are accountable. And so helping -- helping find that right tone is really important and being a thought partner. And I would encourage the CISA to be a little empathetic to their CEO as to, you know, what is the right level to bring the board in. So be careful what you ask for. If you want an opinion, you're probably going to get it. The one thing I'll say about -- about sort of collaborating with your CEO to figure out what's the right level of discussion with the board is to not take it personally if the CEO doesn't get you on the agenda because it doesn't mean what you do isn't important. It might mean that there's something else that is a higher priority, or the CEO feels like we're over-concerning the board. And so you really want to be able to have that candid, you know, thought partnership conversation with the CEO as well. Typically, cybersecurity will come up in the boardroom about twice a year. It might even be once. It doesn't usually come up at every board meeting. And, as most people know, board meetings are usually quarterly. So nobody should be offended if cybersecurity is not on the agenda at every board meeting. There's a ton of things that have to get squeezed into that -- that eight-hour meeting. And it's actually a good thing, and it shows a lot of confidence in deference to management if it's not on the agenda all the time. So don't be offended. Take that as a pat on the back in most cases.
David Moulton: Abby, let's switch gears a little bit and talk about accountability. Boards want to know who owns cyber risk. So where does the buck stop?
Abby Adlerman: Well, I'm glad you raised accountability because, just to remind everybody, that was one of the four cornerstones, right?
David Moulton: That's right.
Abby Adlerman: So -- and -- and, you know, I'll be really direct about this. The board's buck has to stop with the board. They cannot pass that off to anybody else. And that means that they have to make sure they've asked all the right questions, that they have received sufficiently comprehensive answers, and that they're satisfied in the judgment that the risks are being appropriately mitigated. They just can't point fingers at somebody else. So they -- they have to, at that level, say we have done our homework; and we understand what can happen and -- and that we're appropriately on top of it. But let's face it. Bad things can happen even with the best cyberdefense plans in place. And that's no one's fault. As long as management was thoughtful and thorough and the board provided that oversight that I just described, that's going to happen. And so the real issue is, if the board falls down on its job or management falls down, that's where you have an accountability problem because somebody didn't do their job well, and that's where oversight comes in. Again, the four cornerstones are all tied to each other, and there's a reason for that.
David Moulton: Yeah. It seems to me like it's the word OARS, but I'm picturing puzzle pieces, right? Like, they're all interlocked with one another. And it doesn't work if you don't have all four. Can you talk about how high-performing boards define and reinforce that accountability that we're talking about?
Abby Adlerman: Yeah. So it has a lot to do with making sure that -- that cybersecurity and related risks do come up with the right cadence. I mentioned earlier that typically it's once or twice a year. If you're not on the agenda at all, then that's a little bit of a concern. Is anybody paying attention? So the accountability should be driven by both sides. And the reason I say that is, if it slips on one, the other is going to remind them. I mean, the truth is, is that boards and management are a collaboration and a partnership; and they have different roles and different responsibilities. However, when things are functioning well, things are really effective, it really is -- the value of that partnership, it sounds trite to say, but 1 plus 1 equals 3. And I'll give you a really specific example. Crisis preparedness is a responsibility of the board. And it's one of those ones that is a little hard for many boards. And I don't fault them for it because crisis preparedness is thinking about what could go wrong, and do we know what we're going to do when that action happens? It's a little different than risk. Risk are known possible things that could go wrong that we are mitigating for in advance and mitigating at the right level. Crisis are the things that could go wrong that we can't mitigate for. And so thinking about if we have -- no matter how well we've mitigated for a cyber risk, there are some things that are going to happen that are out of our control. What would we do? That's what crisis preparedness is. So it's around communications, authority, and accountability. Who's -- who's talking to whom internally? Who has the responsibility to speak externally, whether it's to the press or the shareholders or -- or customers, depending upon who's affected? How often are we going to keep each other updated on what's going on in the middle of a crisis? How do we reach each other quickly? These are all part of a good crisis preparedness plan, even if the best mitigation was in place and it didn't work.
David Moulton: Years ago, I was at IBM. And we were talking about this type of thing, this preparedness, and to bring your board in and to bring in your PR team as part of your practice. And I remember Caleb Barlow at the time sharing this story that, during one of those sessions, they got all the way to the point in the -- in the simulation where you call into the Zoom chat or the Webex chat, whatever it was. And everyone had these laminated cards. And, you know, the playbook was there; but it didn't have the password. So at the very critical moment where you're like, Okay. We have our -- everyone have the card. Everyone has the card. Good, good, good. Let's try this out. And then nothing. It was like, well, that's the end of it. And then, on the back side, they hadn't saved personal phone numbers into each other's phones. So there was this scramble to try to figure out who could talk to who because the simulation said that, you know, internal comms were shut down or compromised. And it was just kind of a, oh, okay. You know, how do we get there? So, before the crisis can even be discussed, you've got to have the password.
Abby Adlerman: I love -- I love that story because it's the simple things that sometimes go wrong. And -- and a lot of times you'll -- you'll hear the wrong person spoke to the press. And they're like, Well, I couldn't reach the chair because they were on vacation. Or I didn't know we weren't supposed to talk about it. That's all part of crisis preparedness, including, you know, what's the password for the -- for the confidential phone line.
David Moulton: Right.
Abby Adlerman: I also like what you just referred to, David, which is tabletop exercises. And a lot of people talk about them. Not as many boards do them, because, again, it's something where you have to say, Okay. We only have eight hours to talk about everything. Are we going to really carve out 45 minutes to do a tabletop? They can be really, really valuable because that's how you can kind of future-proof some of these, you know, little things that you've -- that you forget to think about. And so a tabletop exercise around a realistic crisis in cybersecurity, cyber hacks, that's a realistic potential crisis for any organization. So I would -- as a CISO or somebody who's, you know, sort of paying attention to the cyber issues for your organization, I would encourage the board to do a tabletop exercise once a year around that.
David Moulton: I agree. I think there's so much that comes from doing rather than talking, right, the workshop versus the endless review of your content. And it is interesting to see how you respond under those types of circumstances as well. You know, some folks have a natural cool cucumber factor to them, and you don't get that in the calm conversation. And then some of us are maybe a little bit more -- little bit more panicked. And, again, good to know during that 45-minute exercise than when it's real. And, yeah. I think that -- I think that tabletops are really valuable and maybe underutilized way of bringing together that -- that board capability to be your thinking partner with some context and not just a CISO but particularly in the cyber domain. I think that -- that's a really smart move. So you've heard it here from Abby. Maybe once a year. Try that out. Abby, cyber resilience is -- is absolutely like this strategic issue. How should CISOs and their security teams frame their programs so the boards see them as business enablers rather than as cost centers?
Abby Adlerman: I am so glad you asked that question, David, because, when we get to talk about strategy, kind of everybody lights up; and it's fun. And it's not that risk isn't incredibly important and -- and some of the other sort of cornerstone issues. But strategy is -- is a great way to get people to really lean in. So, if you want to convince your board that security is strategic, make sure you believe it yourself is where I would start off. I'd start by jotting down a few thoughts of your own. You know, why do I see the cyber resilience as strategic or some other aspect of cyber and the work that you're doing because your conviction as a CISO will matter more than anything else. And then I'd go back to that storytelling that we were just talking about. Look around for case studies or examples where cyber might have helped another company make a significant change or perhaps a breakthrough, and see if you can relate that to your own business. Third, I would ask other people for their input. You can ask CISOs at other companies if you've got a peer group that you talk to or people on your own team or even your fellow C suite colleagues. And then, of course, you know, I ask a lot my favorite AI bot for ideas on topics like this. And I did that in anticipation of this conversation, and it actually helped me frame cybersecurity as a strategic imperative because it reminded me of a few things that -- that I would share today, which is cybersecurity can be very closely tied to business continuity and resilience. No board will deny that's important. Cyber is also incredibly intertwined with trust, brand, and reputation, right? It can be integrated into a lot of different strategic initiatives. As you think about new products and new ways to go to market, you need to know that they're secure. Cyber also is closely tied to your ability to quantify your risks and to benchmark those risks and how you're doing. And then -- and, finally, I would just say that it's very much a governance and fiduciary imperative. And no board will deny that they want their governance to be strategic and forward-thinking. So making sure that cyber is -- is sort of baked into good governance is a strategic conversation. Now, I have a huge bias about governance; but that's -- that is my point of view.
David Moulton: Well, I tend to agree with you because I think that things that are poorly governed, if it's a little bit too -- too cowboy, you end up with a moment where it becomes out of control. And there's a lot of finger pointing. And, if you're on the other side of that when something goes wrong as a customer, consumer, whatever it is, you lose that core trust, right. Things go wrong. How did you respond? And, if you respond poorly, that's the end of the relationship. And it goes back to had you managed this well? Did you -- did you have a point of view? So I don't mind the bias. I think that it is one of the areas, and it's part of why I spend my time in cyber, Abby, is that this is an area that strangely feels underserved with people's attention. When we have strung the entire world together on the duct tape and bubble gum of software and networks, and the original sin was that security wasn't baked in, and now we're trying desperately to wrap it around, infuse it where we can, that's a tough job. And -- and I like the idea that you go to your favorite chat bot. I'm curious. Maybe off the mic we'll share who you're talking to. I like to think of them as a thinking partner, the -- them. Did I say them? It?
Abby Adlerman: You know, they're better when you think of them as them, supposedly
David Moulton: Yeah.
Abby Adlerman: They do work better. But I love the point you're making. And I'd like to think -- sorry. I didn't mean to --
David Moulton: No. Go ahead.
Abby Adlerman: The point -- I like to think -- I kind of had a guess that you value the governance aspect, too, or else why would you be spending time talking to me? But it -- actually, your comments remind me of something I learned many, many years ago, my very first job out of school. Little known fact: I was a metallurgical engineer for my undergrad, and I worked at US Steel. You know, like they've been in the news lately. We made steel. And I was in the quality control department, and the single biggest challenge was -- is that you'd make the steel and then check the quality. And that's very expensive. You -- if you had made -- if you checked the quality while you were making the steel, then you would be, you know, doing a much lower rate of disposition, which was part of what the QC group did was just saying, oh, that's no good. Send it to the scrap yard. That's no good, you know. And that was our job, not -- didn't make the production guys all that happy because, you know, they got paid by the piece; and we would send it to the scrap yard. The point is, is, like, the best companies integrate the core tenets of what makes for a successful business or a successful product into the manufacturing process. And so, to your point, cyber fully integrated from day one into the software and the data and anything else that you're making makes so much more sense.
David Moulton: Yeah. Years ago, Roland Cloutier gave me this quote, that -- he was CISO at ADP at the time -- security is an ingredient in quality. And I haven't been able to get that quote out of my mind because I think it is so true. It's not the only ingredient. And maybe we don't need a ton, or maybe we need a little bit more, depending on what we're trying to make. But, if you have no ingredient, no security, there's -- the quality is lower. And I think that governance is one of those manifestations of how you make sure that you're putting a quality ingredient in like security. I am curious. Do you have advice on language that works especially well or language that you would say don't use these phrases when you're talking to those boards about how security is part of a strategic imperative, rather than another cost center? Are there any, like, key phrases that jump out?
Abby Adlerman: Yeah. Well, I would say that being calm is really important. You know, if you're excitable and a little dramatic to try to make your point, that might backfire. So what the board is, frankly, looking for is reassurance. And I'm not suggesting that you go in if you've got an issue and you really need their attention, their advice, their budget, that you should artificially, you know, sort of be too much of a Cool Hand Luke. However, you don't want to be dramatic about things either. So that's one point. The other point I would say is, given how busy the board is, as important as your area is, they are juggling a lot of topics at any given board meeting. I'm a big fan of the TLDR approach, which is, instead of doing the dramatic build-up to what's, you know, the story in your punchline, you can lose people along the way in the boardroom doing that. And you've got 10 or 15 minutes maybe to make your point, maybe 20. That time is going to fly by. So I'm a big fan of telling them right in the beginning, here's the conclusion. I'm asking for budget, or I'm asking for thought partnership or feedback; or I'm asking for you to sign off on this program, whatever it is you're asking for, and here's why. And I just want to put that why, like, double underscore capital letters to tell them why what you're -- why you're using their 15 or 20 minutes is so important. That's going to get their attention. And it will -- you know, we all have our own personal presentation style, and I'm not going to try and micromanage other people, much less try and do something broad-stroked here. But, when I talk to boards -- and I do that a lot, all the time, every week -- I've honed my own style to suit the needs of that board, meeting them where they are -- I said that earlier -- and really saying, Look. This is the results of your assessment. Here's why it's important. Let's dig in and get into a few details in 15 minutes. And then you summarize again, This is what we learned; and this is why it's important. That's what we do at Boardspan, and we find that to be very effective because we're fighting for the same 20 or 30 minutes on the board's agenda that a CISO is or a CHRO is or anybody else. And that's how we try to make best use of their time.
David Moulton: Yeah. I hear you saying that. And there's this mantra that I have of be bold, be brave, be gone when I talk to executives. And I'd rather them have questions and come seek me out than wish that I would shut up. So, when I can remember, I try to use the be bold, be brave, be gone. You've mentioned storytelling a number of times. Do you have advice for CISOs that are trying to land that one powerful message in that really short 10-, 15-minute timeline to tell those good stories?
Abby Adlerman: Yeah. I think the most important thing is to keep it real and keep it relevant. And so telling a story about a company that sounds cool but has nothing to do with us is sort of like, yeah. I could have read that, you know. So it's your own credibility and your own signaling that I understand what's on your mind. I'm a huge believer, and everybody at Boardspan is sort of bought into this, as well, about empathy. We think it's the most powerful tool in communications, regardless of what business you're in. And so, as the CISO -- and this applies for everybody else in the C suite, including the CEO -- is be empathetic to your audience. Understand where they're coming from. Again, that's a little bit about meeting them where they are. But I think telling them a story that helps move them along, super valuable. Telling them a story that is irrelevant, not so much.
David Moulton: Abby, as boards become more diverse and digitally savvy -- and I think I've heard this a number of times, that boards are asking better questions and are more aware of cyber risk. Can you talk about what skills or experiences are most valuable to add to the boardroom to strengthen their ability to provide that cybersecurity oversight?
Abby Adlerman: Apart from the technical understanding of what are these security issues and how do we mitigate them, there's some broader based what we consider board competencies that are super valuable and will not only help a CISO, they'll probably help some of their colleagues, as well, running different parts of the company. The first one is curiosity. You want your board members who will engage with you intellectually. So that's a great competency to look for. A second one is practicality. You know, it's -- it always helps to have a board that understands how to balance both near-term and long-term to understand costs as well as rewards, the pros and the cons. So having a really pragmatic approach is really great in the boardroom. And then the third thing I'd call out is resilience because things can go wrong, particularly in the topic of the area of cybersecurity. And no matter how great a job the CISO has done, you can't get everything right. And what you want is a board that will recognize that and not get rattled too easily. And you want them to be resilient and calm, especially in a storm.
David Moulton: Abby, thanks so much for this conversation today on how cybersecurity fits into boardroom conversations and then articulating, like, why it matters, how it changes, and how leaders can more effectively communicate. I've really appreciated and learned so much.
Abby Adlerman: Well, thanks, David. It was really fun for me too. And I have to say, for anybody who's a naysayer that talking about cybersecurity in governance, you know, is not a great joyful experience, I'm going to -- I'm going to refute that.
David Moulton: Agreed. Maybe we do it the next one over a glass of wine and some pizza.
Abby Adlerman: You're on.
David Moulton: That's it for today. If you like what you've heard, please subscribe wherever you listen; and leave a review on Apple podcast or Spotify. Those reviews and your feedback really do help me understand what you want to hear about. And/or you could reach out to me directly at my email, threatvector@paloaltonetworks, and tell me what you think of the show. I want to thank our executive producer, Michael Heller; our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran; Elliott Peltzman edits the show and mixes our audio. We'll be back next week. Until then, stay secure and stay vigilant. Goodbye for now.
