Cyber security executives shared candid insights on navigating executive conversations, building resilience and aligning cyber security with business priorities during a fireside chat. Cyber security leaders need to stop selling technology and start selling risk reduction if they want boards to back security investments.This was one of the key messages from a fireside discussion featuring some of SA's leading CISOs at the ITWeb Security Summit 2026 in Johannesburg this week.Moderated by Kerissa Varma, president of Women in Cybersecurity Southern Africa, the panel brought together Celia Mantshiyane, group CISO at FirstRand; Cheryl Modise, executive for IT governance, risk and compliance at Telkom; Xolani Lukhele, GM for IT governance, risk and security at Transnet SOC; and Suren Naidoo, group CISO at Foschini Retail Group.The discussion offered delegates a glimpse into the boardroom conversations that shape cyber security strategy, funding and governance at some of the country's largest organisations.According to Modise, one of the biggest challenges security leaders face is competing for funding against business units that directly generate revenue. However, she argued that cyber security should never be viewed as competing with business growth."The cost of prevention is nothing compared to the cost of a breach and recovery," she said.Rather than asking boards to fund security technologies, CISOs should frame discussions around business risks, customer trust, regulatory compliance and operational resilience. "If you're asking for funding for a technology refresh, don't lead with the technology. Explain how it protects customer trust, prevents downtime and helps the organisation continue delivering services."Lukhele reflected on Transnet's 2021 cyber attack, which disrupted operations at SA's ports and highlighted the far-reaching impact cyber incidents can have on the economy. He said the incident fundamentally changed the organisation's approach to cyber risk. Since then, Transnet has invested in strengthening resilience through technology, skills development, awareness programmes and continuous testing of its security controls.Lukhele noted that cyber security is increasingly being treated in the same way as occupational health and safety within the organisation. "Everyone has a role to play. Employees are often the first line of defence, which is why awareness and training remain critical."He added that resilience has become just as important as prevention. "We may not always stop every attack, but we must be able to recover quickly and continue delivering our mandate."Mantshiyane highlighted the growing pressure facing the financial services sector, where cyber incidents can quickly become matters of national concern. She noted that cyber attacks affecting one financial institution often trigger questions across the entire sector, with boards seeking reassurance that their organisations are adequately protected."The answer is that we're as secure as we know how to be today," she said. At the same time, she stressed the importance of being transparent with boards about existing risks and gaps.Mantshiyane said many organisations are now extending cyber incident simulations beyond technical teams to include executives and board members. "When a crisis happens, everyone has a role to play. The board, executives and communication teams all need to understand how they will respond."She also emphasised the importance of collaboration within the cyber security community. "There is no competitive advantage in cyber security. Information-sharing across the sector is critical because a breach in one organisation can have wider consequences."The conversation also turned to artificial intelligence (AI), which all panellists agreed is reshaping both business operations and the cyber threat landscape.Naidoo described the modern CISO as a change leader who must help organisations balance the benefits of AI against emerging risks. He told delegates that organisations need to focus not only on return on investment from AI initiatives, but also on what he called "risk reduction on investment".As businesses accelerate AI adoption, boards are increasingly seeking guidance on how to safely embrace the technology while protecting sensitive information and systems.Lukhele cautioned that organisations must establish proper governance before rolling out AI tools at scale. He warned that many employees are eager to experiment with freely available AI platforms without fully understanding how their data may be used. "If something is free, you need to ask what the trade-off is," he said.Strong data governance, clear policies and approved AI platforms are essential to ensuring organisations can realise AI's benefits without introducing unnecessary risks, he added.The panel concluded with a discussion on common cyber security misconceptions.For Modise, the biggest myth is that security teams exist to slow the business down. "Security is a business enabler," she said. "Our role is to help the organisation deliver products and services securely."Mantshiyane challenged another common assumption: that organisations which have never suffered a major cyber incident are somehow immune. "It's not a question of if an attack will happen, but how prepared you are to respond when it does."Naidoo added that CISOs sometimes make the mistake of assuming cyber security should be the centre of every board discussion. "Boards aren't there to talk about cyber security. They're there to talk about the business. The challenge is positioning cyber risk as part of the broader risk management conversation."A key takeaway from the discussion is that successful CISOs are those who can translate technical risks into business outcomes and build the trust needed to influence decisions at the highest levels of the organisation.