About the Book
In today’s cybersecurity landscape, the role of a cybersecurity leader goes beyond technical expertise. Communicating cybersecurity risks and initiatives to executives and boards demands a unique blend of strategic insight and business language. A Cybersecurity Leader’s Journey: Speaking the Language of the Board takes readers on a transformative path from technical talk to business-savvy communication.
Follow Nick, a newly appointed CISO, as he navigates the challenges of bridging the gap between complex cybersecurity concepts and the business-focused concerns of board members. Struggling to convey the impact of cybersecurity initiatives, Nick quickly realizes that his technical knowledge alone isn’t enough to gain the board’s trust. With guidance from a mentor, he learns how to address the board’s priorities, answer the critical question of “What’s in it for me?”, and deliver insights that resonate.
This book offers more than just a narrative—it provides actionable takeaways for cybersecurity leaders and other professionals who want to master the art of strategic communication. Readers will discover how to close information asymmetry gaps, manage the affect heuristic, and develop a communication style that builds trust and fosters informed decision-making.
Whether you’re a CISO, an aspiring CISO, or a technical expert aiming to improve your business communication, A Cybersecurity Leader’s Journey equips you with the skills to make cybersecurity not just a necessity but a valued component of business success as well. Step into Nick’s journey, gain insights from his challenges, and learn how to become the trusted advisor your board needs.
Table of Contents:
Chapter 1: The First Board Meeting
Chapter 2: The Breach
Chapter 3: Chat With The Ceo
Chapter 4: Bridging The Gap
Chapter 5: Overcoming Emotions
Chapter 6: Trust
Chapter 7: Business Language
Chapter 8: One-On-One Meetings
Chapter 9: Risk
Chapter 10: Board Preparations
Chapter 11: The Next Board Meeting
Chapter 12: Wrap-Up
Chapter 13: Epilogue
About the Author :
Edward Marchewka, DBA, MBA, MS, CISSP, CDPSE, PMP, CMQ/OE, LSSMBB
Dr. Edward Marchewka is an industry-recognized executive, having been the 2022 CIO of the Year Finalist and 2015 CISO of the Year nominee, with more than two decades of experience in IT and information security. His background includes experiences from running his own computer support business to field service to Fortune 250 experience with Thermo Fisher Scientific. He ran information security for Chicago Public Schools, the 3rd largest school district in the country. His career started in the US Navy as an Electrician's Mate - Nuclear.
Dr. Marchewka is active in the IT and information security community, having served the Chicago Infragard Members Alliance for over nine years. He has presented at dozens of events, including Camp IT Conferences, (ISC)2 Security Congress, ISACA, Secureworld, and Gartner’s Security and Risk Management Summit. He is an advisor for Colorado Technical University College of Security Studies and Prairie State Community College's IT Program.
Dr. Marchewka holds a Doctorate in Business Administration from California Southern University and MBA and MS in Mathematics from Northern Illinois University. He earned a BA in Liberal Studies and a BS in Nuclear Engineering Technologies from Thomas Edison State College, NJ. He holds certificates in Nonprofit Management and Leadership from the Kellogg School of Management at Northwestern University and a certificate in Contract Management from the University of California-Irvine. Dr. Marchewka maintains several active IT, security, and professional certifications from (ISC)2, ASQ, ITIL, PMI, ISACA, SSGI, Microsoft, and CompTIA.
Review :
"A Cyber Security Leader's Journey, Speaking the Language of the Board", by Dr. Edward Marchewka, was a quick and enjoyable read. More importantly, it highlighted the importance of understanding the Governance, Risk Management and Compliance (GRC) context for the work of the CISO. It resonated with my experience as a board member and General Counsel. Questions such as “What does this mean for our bottom line?” and “How does this impact our ability to ship more products?” should be expected and prepared for, with specific answers rather than generalities. This book helps CISOs with that preparation, with practical examples and an honest sharing of what must be the author's experiences repackaged as stories, enabling a mindset shift for the aspiring CISO and an understanding of the importance of understanding your audience, so that questions such as “We need to understand the impact on our business operations. Can you provide a clearer picture?” can be answered with confidence and clarity. The Checklists and Discussion Prompts are GOLD that should be mined by CISOs and their teams. A great book for a workshop or weekend reflection
- Son-U Michael Paik, an experienced GC and risk management executive, with over twenty-five years designing, building and managing Governance, Risk Management & Compliance (GRC) systems
Dr. Edward Marchewka's "A Cybersecurity Leader's Journey:
Speaking the Language of the Board" is a transformative guide for cybersecurity
leaders. The book masterfully combines storytelling with practical strategies,
following Nick's journey from a technically skilled CISO to a trusted strategic partner.
Marchewka's emphasis on understanding the audience, using relatable analogies,
and presenting risk in clear, business-relevant terms is both insightful and practical.
The book's focus on continuous learning and adaptation, along with its real-world
examples, makes it an invaluable resource for anyone looking to improve their
communication with executive leadership. Whether you're a seasoned CISO or new
to the role, this book offers the tools and insights needed to effectively convey the
importance of cybersecurity in a way that resonates with business leaders.
- Gary Craven, P.Ag., FCMC, ITCP, Partner, Paradigm Consulting Group
A Cybersecurity Leader’s Journey trades dry frameworks for a narrative that feels surprisingly
relevant for those of us who have ever sat nervously in front of a board. By casting its lessons through
the story of Nick, a first-time CISO at a medicaldevice supplier, the book drives home the reality that
most directors don’t care about CVEs and packet captures; they care about keeping products flowing
and patients alive. Nick’s early stumbles show how easy it is to lose your audience when you speak in
technical jargon. The guidance he receives—tailoring messages to individual board members,
translating risks into revenue or patientsafety impacts, and maintaining a calm cadence during
crises—is spoton for healthcare environments where supplychain disruptions have lifeordeath
implications.
The real value lies in the practical checklists. It offers step-by-step advice on building metrics
dashboards, rehearsing board presentations, and scoring risk in ways that make sense to non-
technologists. His insistence on understanding information asymmetry and the “what’s in it for me?”
mindset helps turn board meetings from dreaded monologues into constructive dialogues. The
sections on risk scoring and board preparation provide templates that can be easily adapted to HIPAA
or HITRUST reporting regimes. The story does veer toward optimism at times, Nick’s transformation
from deerinheadlights to trusted advisor happens faster than it you would in a real-world bureaucracy,
and seasoned CISOs might find some concepts familiar.
- Keith Duemling, Chief Information Security Officer
“A Cybersecurity Leader’s Journey: Speaking the Language of the Board” by Edward Marchewka follows the fictional story of Nick, a newly appointed Chief Information Security Officer (CISO), as he learns to shift from technical communications to strategic, business aligned dialogue with company leadership. Nick’s technical acumen
is without question but his providing the board of directors relevant business information is the challenge. Nick’s initial meeting with MedTech Parts’ board of directors as the new CISO is ineffective in his ability to convey cybersecurity concepts in business terms to which the board members can relate. Author Dr. Marchewka interjects board members with differing perspectives including the chief financial officer, chief operations officer, medical officer, and chief executive officer. Each of these different corporate roles have specific viewpoints relative to business functions and cybersecurity expectations. At the meetings end, Nick recognizes his communications shortcomings and enlists the mentorship of seasoned CISO, Kathy to help him.
With Kath’s guidance, Nick successfully bridges the gap between technical details and business priorities through effective communication. He prioritizes clarity over complexity, ensuring that cybersecurity information is understandable for board members. Nick interacts with each board member in one-on-one meetings to better understand their cybersecurity concerns and most importantly, build their trust in him as the CISO. Based on these meetings, Nick tailors his communications to address the specific concerns of each board member, making his presentations more relevant and impactful. As Nick’s communications with the board improves, he presents an updated cybersecurity strategy, focusing on its business impacts. He highlights how cybersecurity initiatives support business goals, operational continuity, and financial health. He uses specific examples, such as preventing a phishing attack, and demonstrating the effectiveness of their cybersecurity measures. Nick connects cybersecurity investments to cost savings, showing a potential loss of $2 million avoided through proactive measures.
Nick improves risk communications by using clear metrics and visual aids to convey complex data. He defines risk metrics in understandable terms and employs visual tools like heat maps and graphs. Combining quantitative data with qualitative assessments provides a comprehensive and relatable view of risks. Highlighting preventive measures taken to
mitigate risks reassures the board of the effectiveness of cybersecurity efforts. Nick’s plans for his cybersecurity strategy going forward is a personal commitment to ongoing learning and relationship-building to enhance cybersecurity leadership. He plans to stay updated on cybersecurity trends and engage in professional development opportunities. Continuing regular one-on-one meetings with board members will help address their evolving concerns and maintain trust. And integrating cybersecurity with business strategy positions it as a value driver rather than a cost center.
What sets this book apart is its narrative approach. Rather than delivering dry
theory, it humanizes the leadership journey through relatable scenarios: failed board
presentations, crisis response, emotional dynamics, and learning through mentorship.
These moments are not only engaging but also serve as case studies that illustrate key
principles like bridging information asymmetry, managing the affect heuristic, and
developing a business-aligned communication style. At the end of each chapter, Dr.
Marchewka includes Key Takeaways and Discussion Prompts, which adds to the book’s
value as a reference.
As I started reading this book, I felt as though Dr. Marchewka attended some of my
own early meetings with boards of directors and executive management. Initially, I was as
ineffective as Nick and could still see the blank stares as I tried to convey detailed and
overly complex technical information. I only wish I had A Cybersecurity Leader’s Journey:
Speaking the Language of the Board then. I highly recommend this book for CISOs in their
efforts to be more effective communicators.
- Ron Baklarz – C|CISO, CISSP, CISM, CISA, NAS- IAM/IEM (Retired)
A Cybersecurity Leader’s Journey trades dry frameworks for a narrative that feels
surprisingly relevant for those of us who have ever sat nervously in front of a board. By
casting its lessons through the story of Nick, a first-time CISO at a medicaldevice supplier,
the book drives home the reality that most directors don’t care about CVEs and packet
captures; they care about keeping products flowing and patients alive. Nick’s early stumbles
show how easy it is to lose your audience when you speak in technical jargon. The guidance
he receives—tailoring messages to individual board members, translating risks into revenue
or patientsafety impacts, and maintaining a calm cadence during crises—is spoton for
healthcare environments where supplychain disruptions have lifeordeath implications.
The real value lies in the practical checklists. It offers step-by-step advice on building metrics
dashboards, rehearsing board presentations, and scoring risk in ways that make sense to non-
technologists. His insistence on understanding information asymmetry and the “what’s in it
for me?” mindset helps turn board meetings from dreaded monologues into constructive
dialogues. The sections on risk scoring and board preparation provide templates that can be
easily adapted to HIPAA or HITRUST reporting regimes. The story does veer toward
optimism at times, Nick’s transformation from deerinheadlights to trusted advisor happens
faster than it you would in a real-world bureaucracy, and seasoned CISOs might find some
concepts familiar.
- Keith Duemling, Chief Information Security Officer
