Audit results answer “are we following the rules?” That’s the right question for your auditors, your regulators, your legal team. It is not the question your board uses to allocate capital or evaluate whether your security program is working. When you lead with compliance status, you’re presenting the answer to a question the board wasn’t asking. That gap compounds over time: the CISO who can only speak in frameworks loses credibility with the people who control the budget — and the gap between a compliance-first and a risk-first posture is wider than most teams realise.

The data to have a different conversation is almost certainly already in your hands, but are you using it?

What boards are actually asking

Most board members come into a security briefing carrying three questions, whether or not they articulate them. What’s our financial exposure? Is it getting better or worse? And if something happens, are we covered? These are the same questions they apply to every other significant business risk, and a compliance dashboard doesn’t answer any of them.

A framework attestation tells the board you’ve checked the boxes a particular methodology requires. It doesn’t tell them what an incident would cost, which assets are most exposed, or how your posture maps to what the claims data actually shows about organizations that got hit. That’s the information they need to make decisions. A CISO who can supply it — consistently, in financial terms — earns a different kind of trust than one who reports on control coverage percentages.

Why compliance status and loss exposure track separately

Here’s a pattern I see in Resilience’s claims data that doesn’t get talked about enough: a meaningful share of organizations that experience material losses had clean or near-clean audit postures in the period immediately before the incident. They were compliant, but their compliance status wasn’t a reliable predictor of their actual financial exposure.

The broader research points to the same gap. The IBM X-Force Threat Intelligence Index 2025 found that credential-based attacks accounted for 30% of all intrusions in 2024 — and that attackers are increasingly bypassing MFA through adversary-in-the-middle techniques, meaning the presence of a control on paper doesn’t guarantee it holds under attack conditions. Compliance frameworks are designed to establish minimum standards across a broad population of organizations. They’re necessarily backward-looking, written to address known failure modes, ratified through slow consensus processes, implemented in ways that vary widely from one organization to the next. What they can’t capture is whether your specific configuration of controls, assets, and exposure actually limits loss severity when an incident occurs. That’s an empirical question, and the answer comes from claims data, not audit reports.

This isn’t an argument against compliance. Regulatory requirements matter, and meeting them is non-negotiable. The argument is about what you lead with when you walk into the boardroom.

How to reframe the same data

The reframe doesn’t require new reporting infrastructure, but I’ll be honest about where most teams actually get stuck: translating vulnerability data and control coverage into a credible dollar exposure figure. The underlying data is usually there. The gap is methodological — most security teams don’t have a built-in way to map control gaps to financial impact, which is exactly the problem tools like Edge are designed to solve. That said, the framing shift in the boardroom doesn’t depend on any single platform. It depends on leading with the right question.

Start with exposure, not coverage. Instead of “we’ve patched 94% of critical vulnerabilities,” try: our unpatched exposure is concentrated in these three asset classes, and here’s what an incident involving any of them would likely cost in business interruption. The percentage is still there, but now it’s tied to a dollar consequence the board can act on.

The same logic applies to control reporting. Map it to what the claims data shows about how the control actually performs under real conditions. In Resilience’s manufacturing portfolio, MFA misconfiguration — not the absence of MFA — was the single largest point of failure by incurred losses, accounting for approximately 26% of losses compared to 8% for having no MFA at all. Individual results will vary based on sector and organizational context, but the pattern points to the same principle: deployment isn’t the finish line. That kind of data tends to function as a different kind of signal in a board conversation than a deployment percentage alone. “We’ve extended MFA to all privileged accounts and are auditing configuration enforcement” lands differently than “MFA deployment is at 87%.” The underlying fact is identical. The board’s ability to act on it is not.

And trend matters more than status. Compliance reporting is binary — you either pass or you don’t. Financial exposure is a range that moves, and boards are well-equipped to interpret movement. CISA’s guidance on cyber risk oversight for boards specifically calls for presenting cyber risk in financial and operational terms rather than technical metrics — framing that treats security programs the same way boards treat every other significant business risk. If you can show that your expected loss exposure has shifted over the last 12 months, in a direction and by a magnitude they can interpret, you’re having a conversation about whether the program is working. 

A structure that works in the room

Open every board briefing with three things: what’s our top financial exposure right now, what are we doing about it, and what would it take to move that number. Put those at the top of the first slide — not buried in an appendix after the framework attestation.

The compliance detail still belongs in the deck. Regulators require it, and boards have fiduciary responsibilities around it. But it belongs in support of the financial exposure story, not as the lead. When your board member’s first question after a 30-minute briefing is about the budget ask, the most likely explanation isn’t that they weren’t paying attention. It’s that the thing they were waiting for — a clear statement of financial stakes — never came.