How CISOs Can Earn Real Influence In The Boardroom With Rapid7

Mar 8, 2026

Tom Langford, EMEA CTO at Rapid7 and former CISO, blends security leadership with public speaking and awareness work. He talks about the shift from gaining board access to earning influence. He contrasts risk language with boards’ focus on profit and costs. He explains why frameworks can cloud decisions and highlights tabletop exercises and P&L-style communication as ways to connect security to the business.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Boardrooms Have Become Business First

Boards have evolved and are now more business-focused rather than impressed by security jargon.
Thom Langford says CISOs often still present irrelevant technical detail and must adapt to a savvier boardroom.

INSIGHT

Boards Care About Revenue And Cost Not Abstract Risk

Boards prioritise revenue growth and operational costs over abstract risk measures.
Thom points out security teams obsess over risk reduction while boards care about selling more and lowering cost.

ADVICE

Translate Security Into Selling More Beer

Learn your company's business model and link security outcomes to selling more product or lowering costs.
Thom's phrase: security's job is to help the company "sell more beer," so align security to core business goals.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

How does a CISO turn cybersecurity from a technical conversation into a business conversation that boards actually care about?

In this episode of Tech Talks Daily, I sit down with Thom Langford, EMEA CTO at Rapid7 and a former CISO, to explore what he calls the second phase of cybersecurity leadership. For years, the industry worked hard to secure a seat at the boardroom table. In many organizations, that mission has largely succeeded. But as Thom explains, gaining access was only the first step. The real challenge now is communicating security in a way that drives meaningful business decisions.

Thom shares why many CISOs still approach board conversations in the same way they did a decade ago, even though boardroom awareness of cybersecurity has changed dramatically. Today, many boards include members with cybersecurity knowledge or direct security experience. That means security leaders can no longer rely on technical jargon, complex frameworks, or compliance language to make their case.

One of the most interesting insights from our conversation is the disconnect between how CISOs frame risk and what boards are actually focused on. While security teams often lead with risk reduction, boards tend to think in terms of revenue growth and operational costs. Thom argues that security leaders must learn to translate cybersecurity into the language of profit and loss if they want their message to resonate at the executive level.

We also explore how traditional security tools such as risk frameworks, audits, and compliance standards can sometimes create distance rather than clarity in board discussions. Instead of helping executives understand security priorities, these models can obscure the real question boards are trying to answer. How secure are we, and what does that mean for the business?

Another area we discuss is the growing role of tabletop exercises. Thom explains why these simulations are becoming one of the most effective ways for CISOs to demonstrate the real-world impact of security decisions. By walking executives through a realistic incident scenario, leaders can see how security, operations, legal teams, and business priorities intersect during a crisis.

Looking ahead, Thom believes the most successful CISOs will increasingly need to think like business leaders rather than purely technical specialists. Communication skills, relationship building, and understanding the organization's financial priorities may prove just as important as deep technical expertise.

So if cybersecurity leaders have already earned their place in the boardroom, the next question becomes much more interesting. Are they speaking the language the board actually understands, or are they still trying to solve business problems using only security vocabulary?