Essay
Technology leaders are often told that boards need simple messages. This is partly true and frequently misunderstood. Boards do not need technology risk reduced to slogans. They need it translated into the language of judgement, consequence, and accountability.
Poor translation creates two equally unhelpful outcomes. In one version, technical teams provide detail without context: acronyms, issue lists, severity labels, and control language that may be accurate but not decision-ready. In the other version, the message is flattened so aggressively that meaningful distinctions disappear. Risk becomes a generic statement that something is “being managed”, which leaves directors informed only in the most superficial sense.
Good translation sits between these extremes. It preserves the technical truth while making the decision implications clear. That means explaining what matters, what is uncertain, what could happen if conditions deteriorate, who owns the issue, and what leadership needs to decide or sponsor next.
This is particularly important in digital trust. Boards are rarely responsible for choosing specific controls, but they are responsible for organisational resilience, oversight, and accountability. They need to understand where trust depends on systems or suppliers the organisation does not fully control, where management confidence may be overstated, and where incidents could trigger reputational or operational consequences faster than the institution can respond.
The best board-facing technology communication usually does four things well. First, it identifies the trust-critical issue in plain language. Second, it explains the mechanism of risk without unnecessary compression. Third, it clarifies consequence in organisational terms: service continuity, communications integrity, regulatory exposure, customer confidence, or strategic credibility. Fourth, it states the decision pathway: what management is doing, what support is needed, and where responsibility sits.
What boards generally do not need is raw volume. More indicators, more dashboard colour, and more issue lists can create the appearance of transparency without actually improving governance. When everything is reported, very little is interpreted. Translation is the discipline that turns information into oversight.
This is one reason the Trust Surface concept is useful for executive reporting. It gives a structure for discussing technology risk in a way that is inherently governance-relevant. Rather than treating domains, email controls, identity, third-party tools, communications dependencies, and public-facing infrastructure as isolated technical topics, it frames them as the systems through which institutional trust is expressed and potentially undermined. That framing helps boards ask better questions.
The point of translation is not to make technical issues feel less serious. It is to make them governable. Boards are most effective when they can see where a technical matter becomes a leadership matter. The job of the translator is to make that boundary visible before the incident does it on their behalf.
References
- AICD — Governing Through a Cyber Crisis — www.aicd.com.au/risk-management/framework/cyber-security/governing-through-a-cyber-crisis.html
- NIST Cybersecurity Framework 2.0 — www.nist.gov/cyberframework
- Bruce Schneier — Data and Goliath