Boards need enough cyber detail to judge exposure, understand whether key controls are working, and decide where intervention or investment is required.

Cyber lands better when it is framed around governance, business risk, and investment choices rather than technical complexity.

Jamie Rossato, CISO at Orica Australia, shares a practical view on how security leaders build alignment with boards and executives by connecting cyber outcomes to risk appetite, operational priorities, and the cost of leaving gaps unresolved.

Listen to the full episode on Apple PodcastsSpotify, and YouTube.

 

Key takeaways:

  • Effective board engagement depends on clarity, brevity and aligning cyber discussions to fiduciary responsibility and risk appetite.
  • Investment decisions are won at the executive layer, where operational ownership and funding decisions are shaped.
  • A threat-led approach strengthens both security posture and compliance outcomes, making cyber spend easier to justify.

 

Board engagement demands clarity, not complexity

Communicating with boards requires direct, concise messaging focused on controls, risks and outcomes, not technical detail.

Boards operate under time pressure and broad accountability, so cyber leaders must translate security into governance, risk and fiduciary impact.

Jamie emphasises avoiding overly dense materials, instead focusing on whether controls are effective, aligned to risk appetite, and what actions are in place to address gaps.

 

Executive alignment is where investment is won

Cyber funding conversations are secured with executive management before reaching the board.

Executives own implementation and operational risk, making them critical partners in shaping, supporting and advocating for cyber investment.

Jamie notes that by demonstrating control effectiveness and value for money, leaders guide executives to recognise unaddressed risks, naturally building the case for further investment.

 

A threat-led strategy outperforms compliance-first approaches

Focusing on real threats ensures security measures are meaningful, with compliance emerging as a by-product rather than the objective.

Compliance alone can drive checkbox behaviour, whereas threat-led strategies prioritise actual risk reduction and resilience.

Jamie explains that understanding internal and external threats allows organisations to meet regulatory requirements organically, while also making a stronger case for proactive investment, even when threats have not yet materialised.

Cyber leaders create influence not by amplifying risk, but by demonstrating control, value and foresight in a language the business already understand.

Contributors
Jamie Rossato CISO at Orica Australia
Jamie Rossato is Chief Information Security Officer at Orica, bringing more than a decade of CISO experience across manufacturing, research, and enterprise... More

Jamie Rossato is Chief Information Security Officer at Orica, bringing more than a decade of CISO experience across manufacturing, research, and enterprise environments. He has led cybersecurity strategy, governance, culture, and operational uplift programs at organisations including CSIRO, Lion, and Orica. Jamie also contributes to the broader security community through board and advisory roles with the Information Security Forum and the Australian Information Security Association, as well as academic work supporting Australia’s Certificate IV in Cybersecurity curriculum.

Less
Gabby Fredkin Head of Analytics & Insights at ADAPT
As the Head of Analytics and Insights at ADAPT, Gabby Fredkin’s primary role is managing analysis to produce ADAPT’s actionable insights to... More

As the Head of Analytics and Insights at ADAPT, Gabby Fredkin’s primary role is managing analysis to produce ADAPT’s actionable insights to identify trends supporting organisations in Australia.

With a passion for creating stories with data, Gabby is consistently rated as one of the top speakers at ADAPT’s events. In roundtable discussions, he specialises in using statistics to initiate thought-provoking discussions, enabling ADAPT’s customers to become more data-driven.​

Using modern data science techniques, he provides ADAPT and its customers with confidence in the accuracy and validity of the information used for ADAPT’s research, advisory and events.

Working across artificial intelligence, machine learning, AI ethics, DevSecOps, end-user behaviour, and human-centred design, Gabby’s vast experience continues to grow, supported in part by a Master of Business Analytics from Deakin University.

Less
security leadership investments