"A Cyber Security Leader's Journey, Speaking the Language of the Board", by Dr. Edward Marchewka, was a quick and enjoyable read. More importantly, it highlighted the importance of understanding the Governance, Risk Management and Compliance (GRC) context for the work of the CISO. It resonated with my experience as a board member and General Counsel. Questions such as “What does this mean for our bottom line?” and “How does this impact our ability to ship more products?” should be expected and prepared for, with specific answers rather than generalities. This book helps CISOs with that preparation, with practical examples and an honest sharing of what must be the author's experiences repackaged as stories, enabling a mindset shift for the aspiring CISO and an understanding of the importance of understanding your audience, so that questions such as “We need to understand the impact on our business operations. Can you provide a clearer picture?” can be answered with confidence and clarity. The Checklists and Discussion Prompts are GOLD that should be mined by CISOs and their teams. A great book for a workshop or weekend reflection- Son-U Michael Paik, an experienced GC and risk management executive, with over twenty-five years designing, building and managing Governance, Risk Management & Compliance (GRC) systems Dr. Edward Marchewka's "A Cybersecurity Leader's Journey:Speaking the Language of the Board" is a transformative guide for cybersecurityleaders. The book masterfully combines storytelling with practical strategies,following Nick's journey from a technically skilled CISO to a trusted strategic partner.Marchewka's emphasis on understanding the audience, using relatable analogies,and presenting risk in clear, business-relevant terms is both insightful and practical.The book's focus on continuous learning and adaptation, along with its real-worldexamples, makes it an invaluable resource for anyone looking to improve theircommunication with executive leadership. Whether you're a seasoned CISO or newto the role, this book offers the tools and insights needed to effectively convey theimportance of cybersecurity in a way that resonates with business leaders. - Gary Craven, P.Ag., FCMC, ITCP, Partner, Paradigm Consulting GroupA Cybersecurity Leader’s Journey trades dry frameworks for a narrative that feels surprisinglyrelevant for those of us who have ever sat nervously in front of a board. By casting its lessons throughthe story of Nick, a first-time CISO at a medicaldevice supplier, the book drives home the reality thatmost directors don’t care about CVEs and packet captures; they care about keeping products flowingand patients alive. Nick’s early stumbles show how easy it is to lose your audience when you speak intechnical jargon. The guidance he receives—tailoring messages to individual board members,translating risks into revenue or patientsafety impacts, and maintaining a calm cadence duringcrises—is spoton for healthcare environments where supplychain disruptions have lifeordeathimplications.The real value lies in the practical checklists. It offers step-by-step advice on building metricsdashboards, rehearsing board presentations, and scoring risk in ways that make sense to non-technologists. His insistence on understanding information asymmetry and the “what’s in it for me?”mindset helps turn board meetings from dreaded monologues into constructive dialogues. Thesections on risk scoring and board preparation provide templates that can be easily adapted to HIPAAor HITRUST reporting regimes. The story does veer toward optimism at times, Nick’s transformationfrom deerinheadlights to trusted advisor happens faster than it you would in a real-world bureaucracy,and seasoned CISOs might find some concepts familiar. - Keith Duemling, Chief Information Security Officer“A Cybersecurity Leader’s Journey: Speaking the Language of the Board” by Edward Marchewka follows the fictional story of Nick, a newly appointed Chief Information Security Officer (CISO), as he learns to shift from technical communications to strategic, business aligned dialogue with company leadership. Nick’s technical acumenis without question but his providing the board of directors relevant business information is the challenge. Nick’s initial meeting with MedTech Parts’ board of directors as the new CISO is ineffective in his ability to convey cybersecurity concepts in business terms to which the board members can relate. Author Dr. Marchewka interjects board members with differing perspectives including the chief financial officer, chief operations officer, medical officer, and chief executive officer. Each of these different corporate roles have specific viewpoints relative to business functions and cybersecurity expectations. At the meetings end, Nick recognizes his communications shortcomings and enlists the mentorship of seasoned CISO, Kathy to help him. With Kath’s guidance, Nick successfully bridges the gap between technical details and business priorities through effective communication. He prioritizes clarity over complexity, ensuring that cybersecurity information is understandable for board members. Nick interacts with each board member in one-on-one meetings to better understand their cybersecurity concerns and most importantly, build their trust in him as the CISO. Based on these meetings, Nick tailors his communications to address the specific concerns of each board member, making his presentations more relevant and impactful. As Nick’s communications with the board improves, he presents an updated cybersecurity strategy, focusing on its business impacts. He highlights how cybersecurity initiatives support business goals, operational continuity, and financial health. He uses specific examples, such as preventing a phishing attack, and demonstrating the effectiveness of their cybersecurity measures. Nick connects cybersecurity investments to cost savings, showing a potential loss of $2 million avoided through proactive measures. Nick improves risk communications by using clear metrics and visual aids to convey complex data. He defines risk metrics in understandable terms and employs visual tools like heat maps and graphs. Combining quantitative data with qualitative assessments provides a comprehensive and relatable view of risks. Highlighting preventive measures taken tomitigate risks reassures the board of the effectiveness of cybersecurity efforts. Nick’s plans for his cybersecurity strategy going forward is a personal commitment to ongoing learning and relationship-building to enhance cybersecurity leadership. He plans to stay updated on cybersecurity trends and engage in professional development opportunities. Continuing regular one-on-one meetings with board members will help address their evolving concerns and maintain trust. And integrating cybersecurity with business strategy positions it as a value driver rather than a cost center. What sets this book apart is its narrative approach. Rather than delivering drytheory, it humanizes the leadership journey through relatable scenarios: failed boardpresentations, crisis response, emotional dynamics, and learning through mentorship.These moments are not only engaging but also serve as case studies that illustrate keyprinciples like bridging information asymmetry, managing the affect heuristic, anddeveloping a business-aligned communication style. At the end of each chapter, Dr.Marchewka includes Key Takeaways and Discussion Prompts, which adds to the book’svalue as a reference. As I started reading this book, I felt as though Dr. Marchewka attended some of myown early meetings with boards of directors and executive management. Initially, I was asineffective as Nick and could still see the blank stares as I tried to convey detailed andoverly complex technical information. I only wish I had A Cybersecurity Leader’s Journey:Speaking the Language of the Board then. I highly recommend this book for CISOs in theirefforts to be more effective communicators.- Ron Baklarz – C|CISO, CISSP, CISM, CISA, NAS- IAM/IEM (Retired)A Cybersecurity Leader’s Journey trades dry frameworks for a narrative that feelssurprisingly relevant for those of us who have ever sat nervously in front of a board. Bycasting its lessons through the story of Nick, a first-time CISO at a medicaldevice supplier,the book drives home the reality that most directors don’t care about CVEs and packetcaptures; they care about keeping products flowing and patients alive. Nick’s early stumblesshow how easy it is to lose your audience when you speak in technical jargon. The guidancehe receives—tailoring messages to individual board members, translating risks into revenueor patientsafety impacts, and maintaining a calm cadence during crises—is spoton forhealthcare environments where supplychain disruptions have lifeordeath implications.The real value lies in the practical checklists. It offers step-by-step advice on building metricsdashboards, rehearsing board presentations, and scoring risk in ways that make sense to non-technologists. His insistence on understanding information asymmetry and the “what’s in itfor me?” mindset helps turn board meetings from dreaded monologues into constructivedialogues. The sections on risk scoring and board preparation provide templates that can beeasily adapted to HIPAA or HITRUST reporting regimes. The story does veer towardoptimism at times, Nick’s transformation from deerinheadlights to trusted advisor happensfaster than it you would in a real-world bureaucracy, and seasoned CISOs might find someconcepts familiar. - Keith Duemling, Chief Information Security Officer
