As information security becomes a more important topic of interest for corporate boards, CISOs are increasingly asked to step up and brief boards on cyber issues -- which means they need to become better communicators, and have a broader understanding of business needs.According to a recent survey by Veracode and the New York Stock Exchange, 80 percent of boards discuss cybersecurity at nearly every board meeting."It's become a really serious issue," said Chris Wysopal, CTO and CISO at Veracode.Communication skillsDespite the growing interest in cybersecurity, boards still have a long way to go before they're fully educated about cybersecurity.According to a June study by Fidelis Security and the Ponemon Institute, 26 percent of board members admit to "minimal or no knowledge" about cybersecurity, and only 33 percent say that they are "knowledgeable" or "very knowledgeable."[ ALSO ON CSO: How CSOs can help CIOs talk security to the board ]This lack of education is combined with an over-inflated view of their company's security -- 70 percent of board members said that they understand the security risks to the organization, but only 43 percent of IT security professionals agreed that the board understood the security risks to the organization..Only 18 percent of IT security professionals rated their companies' cybersecurity governance practices as very effective -- compared to 59 percent of board members.This is a difficult communications gap that needs to be addressed on both the board level and by CISOs themselves.But that doesn't mean that boards want to hear about all the technical details of the latest security technologies."Boards want the CISO to give them risk metrics and peer benchmarking," Wysopal said. "They want to know how they're doing related to like companies. Those are all good things that are going to help boards understand the true risk of cybersecurity."Instead of focusing on vulnerabilities, or tools deployed, CISOs should focus on easy-to-understand metrics that show how effective the company is at managing security, said Matt Alderman, vice president of strategy at Tenable Network Security."This requires top line metrics associated with impacts to the business," he said. For example, that could be the amount of money lost due to security failures.Operational metrics could also be useful, he said, such as reducing the potential attack surface."My job is to facilitate the awareness of risk and be in a position of educating my leadership about what risk they are willing to accept," said Paul Calatayud, CISO at Surescripts.Business know-howSurescripts processed 6.5 billion transactions last year for 98 percent of U.S. pharmacies, so the worst-case cyberrisk scenarios are pretty bad.Despite that, Calatayud said he doesn't pitch new security projects to the board based on improving security, but based on increasing business value.My job is to facilitate the awareness of risk and be in a position of educating my leadership about what risk they are willing to accept.Paul Calatayud, CISO at SurescriptsFor example, medical fraud has an impact on the company's brand and reputation, so Calatayud started out by getting the marketing department to understand the net benefit of that particular project.\t"The board becomes very receptive to that because they see the business content, because the marketing team is on board," he said. "Here's the net benefit to the company. That's how I've approached bringing things that are more company strategic."It can be hard to justify technology costs by focusing purely on the security benefits, he said."Fear mongering, although helpful at one time to garner support, today leads to only short-term support and ultimately undermines CISO credibility," said Adam Vincent, CEO at security firm ThreatConnect. "Instead, the CISO should focus on clearly communicating strategic risks to the business and what is being done to mitigate the risk."For example, CISOs might be able to get more money for their security projects by attributing the costs to the business unit or organization that will benefit from them, instead of asking for funding in one lump sum, said David Shearer, executive director at International Information Systems Security Certification Consortium.If you can't beat them, join themBecoming a member of a corporate board can be a great career move, according to Gerry Stegmaier, partner in the privacy and data security practice at Goodwin Procter LLP. Here's how to best position yourself for a directorship.Go back to school. It helps corporate directors to have a broader knowledge of business, and an MBA can help.\u00a0Find mentors. "One of the best things you can do is seek out people who are already on boards for mentorship and guidance,"\u00a0Stegmaier said.Serve on non-profit boards. Non-profit boards are an opportunity to learn how to be a board member, and to network with other directors.\u00a0Accept a supporting role. You might not be a director yourself, but by helping out you can get a sense of how boards work from the inside.Get a job outside of IT. To get on a board, especially a large public corporate board, it helps to have been a CFO, COO or CEO of a public company.\u00a0But don't let your IT job stop you from trying. As cybersecurity becomes more important, some boards are willing to look at candidates with a narrower background.\u00a0And don't let a minority background get in the way. Although corporate boards are still heavily dominated by the white male demographic, there's growing awareness that more diverse boards lead to better corporate performance. "And companies are starting to realize the value that women have," he added."CISOs need to bridge the gap between the technical aspects of the information security program and the business value board members are looking for from investments," he said.For example, when Jason Thomas, CIO at Ruston, La.,-based Green Clinic, was pitching consolidated user accounts to his board of directors, he didn't pitch it as a costly new security project.Instead, he pitched as a way for doctors to be able to log in to all their systems with just one user name and password, so that they could stop worrying about security, and focus more on their patients."That's a business simplifier," he said.His board, mostly composed of medical professionals, is worried about security, he added."But it's a difficult situation because you're trying to educate them without giving them fatigue," he said. "You have to have a light touch with security, and not freak them out."Whenever a project can be pitched as a business benefit or competitive advantage, that helps, he added.New success metrics neededEric Cole, Fellow at SANS Institute, said that he's regularly seeing CISO becoming equal to the CIO and reporting to a risk executive, or directly to the board."It's security that keeps executives up at night, not IT infrastructure," he said.Many boards don't know what to look for in a CISO, and how to tell whether a CISO has been doing a good job or not, he said."The problem is the metric the board is using today, is if you don't have a breach, then security is doing its job," he said. "And that's a very dangerous metric because we know that everybody will have a breach."[ ALSO: How to Talk to the Board of Directors ]Then, once a breach happens, someone falls on their sword -- and that someone is the CISO."If you're going to be a CISO in the near future, keep your resume updated, because you're going to be moving around for a few jobs," Cole said. "CISOs are like NFL coaches -- they don't go away, they just go from team to team.""We've seen CISOs fired after a high profile breach has occurred," said Frank Mong, vice president of solutions for HP Security. "With the level of stress and risk taken on by CISOs today, there is a high rate of burnout. The role of the CISO is no walk in the park."But there is a way out, said SANS Institute's Cole said.New CISOs need to start by educating their boards about the relative costs of risks.How much would perfect security cost? How much can the company actually afford? What risks is it willing to take?"You have to understand the risk appetite of the executive team," Cole said. "Then you need to define clear metrics for security that they can understand."Joining the boardThere is one more step that corporate boards can take to improve security -- bring a security expert onto their board."I think we're going to increasingly see search committees looking for directors who can demonstrate particular technology competencies," said Gerry Stegmaier, partner in the privacy and data security practice at Goodwin Procter LLP.Earlier this year, for example, Wells Fargo elected retired Air Force Maj. Gen. and commander Suzanne Vautrinot to its board of directors. At Air Forces Cyber, she oversaw a multi-billion dollar global cyber enterprise with 14,000 military, civilians, and contractors."This topic has become so important that in a few cases, we've even seen federal regulators encourage boards to add more cyber expertise to the board," said Jim Jaeger, chief cyber services strategist at Fidelis Cybersecurity.