|
|
Reviews
I recently finished reading A Cybersecurity Leader’s Journey: Speaking the Language of the Board by Edward Marchewka, and I have to say, it’s one of the most practical and relatable cybersecurity leadership books I’ve come across.
Nick, the protagonist, a newly appointed CISO who quickly learns that technical expertise alone won’t win the board’s trust. What resonated most was the book’s central theme: cybersecurity is not just a technical discipline. It’s a business enabler.
Nick’s journey is a masterclass in communication, empathy, and strategic alignment. Through his missteps and mentorship from Kathy (a seasoned CISO), we learn how to bridge the gap between technical jargon and business priorities. The storytelling is engaging, but what makes this book stand out are the actionable frameworks and real-world scenarios that any cybersecurity leader can apply immediately.
One quote that resonated with me:
“You’re not just presenting information—you’re telling a story that connects with your audience on a deeper level.”
This book helped me reflect on how we should communicate risk, value, and strategy, not just to boards, but to peers and stakeholders across the organization. It’s a reminder that trust is built not just through competence, but through clarity, empathy, and relevance.
If you're an auditor trying to understand how cybersecurity should be managed or a CISO, or aspiring to be one, or simply want to elevate your cybersecurity leadership game, I highly recommend this read.
Cybersecurity isn’t just about safety: it’s about influence.
-Yves Genest
Senior Executive and Experienced Internal and Performance Auditor
Nick, the protagonist, a newly appointed CISO who quickly learns that technical expertise alone won’t win the board’s trust. What resonated most was the book’s central theme: cybersecurity is not just a technical discipline. It’s a business enabler.
Nick’s journey is a masterclass in communication, empathy, and strategic alignment. Through his missteps and mentorship from Kathy (a seasoned CISO), we learn how to bridge the gap between technical jargon and business priorities. The storytelling is engaging, but what makes this book stand out are the actionable frameworks and real-world scenarios that any cybersecurity leader can apply immediately.
One quote that resonated with me:
“You’re not just presenting information—you’re telling a story that connects with your audience on a deeper level.”
This book helped me reflect on how we should communicate risk, value, and strategy, not just to boards, but to peers and stakeholders across the organization. It’s a reminder that trust is built not just through competence, but through clarity, empathy, and relevance.
If you're an auditor trying to understand how cybersecurity should be managed or a CISO, or aspiring to be one, or simply want to elevate your cybersecurity leadership game, I highly recommend this read.
Cybersecurity isn’t just about safety: it’s about influence.
-Yves Genest
Senior Executive and Experienced Internal and Performance Auditor
I had the pleasure of reading “A Cybersecurity Leader’s Journey—Speaking the Language of the Board” by Dr. Edward Marchewka. It is definitely on the must-read list for all cybersecurity professionals, including future and current CISOs, who seek to enhance their presence, longevity, and credibility as trusted advisors to the board. The development of the CISO experience through each chapter, relationship building, and commitment from Nick's trusted mentor perpetuates how mentoring and leadership converge. I'm excited for the next volume. Thank you, Dr. Marchewka, for sharing and penning your ideas on paper and giving back to the community.
-Timothy Simmons
Technology & Cybersecurity Executive | GRC, IT-OT & AI Risk Leader
-Timothy Simmons
Technology & Cybersecurity Executive | GRC, IT-OT & AI Risk Leader
A Cyber Security Leader's Journey, Speaking the Language of the Board", by Dr. Edward Marchewka, was a quick and enjoyable read. More importantly, it highlighted the importance of understanding the Governance, Risk Management and Compliance (GRC) context for the work of the CISO. It resonated with my experience as a board member and General Counsel. Questions such as “What does this mean for our bottom line?” and “How does this impact our ability to ship more products?” should be expected and prepared for, with specific answers rather than generalities. This book helps CISOs with that preparation, with practical examples and an honest sharing of what must be the author's experiences repackaged as stories, enabling a mindset shift for the aspiring CISO and an understanding of the importance of understanding your audience, so that questions such as “We need to understand the impact on our business operations. Can you provide a clearer picture?” can be answered with confidence and clarity. The Checklists and Discussion Prompts are GOLD that should be mined by CISOs and their teams. A great book for a workshop or weekend reflection.
-Son-U Michael Paik
An experienced GC and risk management executive, with over twenty-five years designing, building and managing Governance, Risk Management & Compliance (GRC) systems
-Son-U Michael Paik
An experienced GC and risk management executive, with over twenty-five years designing, building and managing Governance, Risk Management & Compliance (GRC) systems
A Cybersecurity Leader’s Journey: Speaking the Language of the Board” by Edward Marchewka follows the fictional story of Nick, a newly appointed Chief Information Security Officer (CISO), as he learns to shift from technical communications to strategic, business-aligned dialogue with company leadership. Nick’s technical acumen is without question but his providing the board of directors relevant business information is the challenge.
Nick’s initial meeting with MedTech Parts’ board of directors as the new CISO is ineffective in his ability to convey cybersecurity concepts in business terms to which the board members can relate. Author Dr. Marchewka interjects board members with differing perspectives including the chief financial officer, chief operations officer, medical officer, and chief executive officer. Each of these different corporate roles have specific viewpoints relative to business functions and cybersecurity expectations. At the meetings end, Nick recognizes his communications shortcomings and enlists the mentorship of seasoned CISO, Kathy to help him.
With Kath’s guidance, Nick successfully bridges the gap between technical details and business priorities through effective communication. He prioritizes clarity over complexity, ensuring that cybersecurity information is understandable for board members. Nick interacts with each board member in one-on-one meetings to better understand their cybersecurity concerns and most importantly, build their trust in him as the CISO. Based on these meetings, Nick tailors his communications to address the specific concerns of each board member, making his presentations more relevant and impactful.
As Nick’s communications with the board improves, he presents an updated cybersecurity strategy, focusing on its business impacts. He highlights how cybersecurity initiatives support business goals, operational continuity, and financial health. He uses specific examples, such as preventing a phishing attack, and demonstrating the effectiveness of their
cybersecurity measures. Nick connects cybersecurity investments to cost savings, showing a potential loss of $2 million avoided through proactive measures.
Nick improves risk communications by using clear metrics and visual aids to convey complex data. He defines risk metrics in understandable terms and employs visual tools like heat maps and graphs. Combining quantitative data with qualitative assessments provides a comprehensive and relatable view of risks. Highlighting preventive measures taken to mitigate risks reassures the board of the effectiveness of cybersecurity efforts.
Nick’s plans for his cybersecurity strategy going forward is a personal commitment to ongoing learning and relationship-building to enhance cybersecurity leadership. He plans to stay updated on cybersecurity trends and engage in professional development opportunities. Continuing regular one-on-one meetings with board members will help address their evolving concerns and maintain trust. And integrating cybersecurity with business strategy positions it as a value driver rather than a cost center.
What sets this book apart is its narrative approach. Rather than delivering dry theory, it humanizes the leadership journey through relatable scenarios: failed board presentations, crisis response, emotional dynamics, and learning through mentorship. These moments are not only engaging but also serve as case studies that illustrate key principles like bridging information asymmetry, managing the affect heuristic, and developing a business-aligned communication style. At the end of each chapter, Dr. Marchewka includes Key Takeaways and Discussion Prompts, which adds to the book’s value as a reference.
As I started reading this book, I felt as though Dr. Marchewka attended some of my own early meetings with boards of directors and executive management. Initially, I was as ineffective as Nick and could still see the blank stares as I tried to convey detailed and overly complex technical information. I only wish I had A Cybersecurity Leader’s Journey: Speaking the Language of the Board then. I highly recommend this book for CISOs in their efforts to be more effective communicators.
-Ron Baklarz
C|CISO, CISSP, CISM, CISA, NAS- IAM/IEM (Retired)
Nick’s initial meeting with MedTech Parts’ board of directors as the new CISO is ineffective in his ability to convey cybersecurity concepts in business terms to which the board members can relate. Author Dr. Marchewka interjects board members with differing perspectives including the chief financial officer, chief operations officer, medical officer, and chief executive officer. Each of these different corporate roles have specific viewpoints relative to business functions and cybersecurity expectations. At the meetings end, Nick recognizes his communications shortcomings and enlists the mentorship of seasoned CISO, Kathy to help him.
With Kath’s guidance, Nick successfully bridges the gap between technical details and business priorities through effective communication. He prioritizes clarity over complexity, ensuring that cybersecurity information is understandable for board members. Nick interacts with each board member in one-on-one meetings to better understand their cybersecurity concerns and most importantly, build their trust in him as the CISO. Based on these meetings, Nick tailors his communications to address the specific concerns of each board member, making his presentations more relevant and impactful.
As Nick’s communications with the board improves, he presents an updated cybersecurity strategy, focusing on its business impacts. He highlights how cybersecurity initiatives support business goals, operational continuity, and financial health. He uses specific examples, such as preventing a phishing attack, and demonstrating the effectiveness of their
cybersecurity measures. Nick connects cybersecurity investments to cost savings, showing a potential loss of $2 million avoided through proactive measures.
Nick improves risk communications by using clear metrics and visual aids to convey complex data. He defines risk metrics in understandable terms and employs visual tools like heat maps and graphs. Combining quantitative data with qualitative assessments provides a comprehensive and relatable view of risks. Highlighting preventive measures taken to mitigate risks reassures the board of the effectiveness of cybersecurity efforts.
Nick’s plans for his cybersecurity strategy going forward is a personal commitment to ongoing learning and relationship-building to enhance cybersecurity leadership. He plans to stay updated on cybersecurity trends and engage in professional development opportunities. Continuing regular one-on-one meetings with board members will help address their evolving concerns and maintain trust. And integrating cybersecurity with business strategy positions it as a value driver rather than a cost center.
What sets this book apart is its narrative approach. Rather than delivering dry theory, it humanizes the leadership journey through relatable scenarios: failed board presentations, crisis response, emotional dynamics, and learning through mentorship. These moments are not only engaging but also serve as case studies that illustrate key principles like bridging information asymmetry, managing the affect heuristic, and developing a business-aligned communication style. At the end of each chapter, Dr. Marchewka includes Key Takeaways and Discussion Prompts, which adds to the book’s value as a reference.
As I started reading this book, I felt as though Dr. Marchewka attended some of my own early meetings with boards of directors and executive management. Initially, I was as ineffective as Nick and could still see the blank stares as I tried to convey detailed and overly complex technical information. I only wish I had A Cybersecurity Leader’s Journey: Speaking the Language of the Board then. I highly recommend this book for CISOs in their efforts to be more effective communicators.
-Ron Baklarz
C|CISO, CISSP, CISM, CISA, NAS- IAM/IEM (Retired)
I loved your book.
A very complex narrative explained concisely.
It felt let you aimed for creating a classic like "who moved my cheese?" but for a specific industry.
It applies 100% across any technical field.
We get in front of the board and literally speak a different language.
-Joseph DePaola
AI Humanitarian Architect
A very complex narrative explained concisely.
It felt let you aimed for creating a classic like "who moved my cheese?" but for a specific industry.
It applies 100% across any technical field.
We get in front of the board and literally speak a different language.
-Joseph DePaola
AI Humanitarian Architect
A Cybersecurity Leader’s Journey trades dry frameworks for a narrative that feels surprisingly relevant for those of us who have ever sat nervously in front of a board. By casting its lessons through the story of Nick, a first-time CISO at a medical‑device supplier, the book drives home the reality that most directors don’t care about CVEs and packet captures; they care about keeping products flowing and patients alive. Nick’s early stumbles show how easy it is to lose your audience when you speak in technical jargon. The guidance he receives—tailoring messages to individual board members, translating risks into revenue or patient‑safety impacts, and maintaining a calm cadence during crises—is spot‑on for healthcare environments where supply‑chain disruptions have life‑or‑death implications.
The real value lies in the practical checklists. It offers step-by-step advice on building metrics dashboards, rehearsing board presentations, and scoring risk in ways that make sense to non-technologists. His insistence on understanding information asymmetry and the “what’s in it for me?” mindset helps turn board meetings from dreaded monologues into constructive dialogues. The sections on risk scoring and board preparation provide templates that can be easily adapted to HIPAA or HITRUST reporting regimes. The story does veer toward optimism at times, Nick’s transformation from deer‑in‑headlights to trusted advisor happens faster than it you would in a real-world bureaucracy, and seasoned CISOs might find some concepts familiar.
-Keith Duemling
Chief Information Security Officer
The real value lies in the practical checklists. It offers step-by-step advice on building metrics dashboards, rehearsing board presentations, and scoring risk in ways that make sense to non-technologists. His insistence on understanding information asymmetry and the “what’s in it for me?” mindset helps turn board meetings from dreaded monologues into constructive dialogues. The sections on risk scoring and board preparation provide templates that can be easily adapted to HIPAA or HITRUST reporting regimes. The story does veer toward optimism at times, Nick’s transformation from deer‑in‑headlights to trusted advisor happens faster than it you would in a real-world bureaucracy, and seasoned CISOs might find some concepts familiar.
-Keith Duemling
Chief Information Security Officer
Dr. Edward Marchewka's "A Cybersecurity Leader's Journey: Speaking the Language of the Board" is a transformative guide for cybersecurity leaders. The book masterfully combines storytelling with practical strategies, following Nick's journey from a technically skilled CISO to a trusted strategic partner. Marchewka's emphasis on understanding the audience, using relatable analogies, and presenting risk in clear, business-relevant terms is both insightful and practical. The book's focus on continuous learning and adaptation, along with its real-world examples, makes it an invaluable resource for anyone looking to improve their communication with executive leadership. Whether you're a seasoned CISO or new to the role, this book offers the tools and insights needed to effectively convey the importance of cybersecurity in a way that resonates with business leaders.
-Gary Craven, P.Ag., FCMC, ITCP
Partner, Paradigm Consulting Group
-Gary Craven, P.Ag., FCMC, ITCP
Partner, Paradigm Consulting Group