Reporting Risk – A Checklist to Ensuring Better Board Meetings From Now on

Some relationships in life are straightforward. Both sides “get” each other and though miscommunications inevitably occur occasionally, it’s mainly smooth sailing.

The relationship between CISOs and the Board of Directors is generally anything but straightforward. More often than not, it’s marked by significant gaps in communication and mutual lack of understanding. There are loads of reasons why this fractured paradigm exists (which we’ll cover below) but the real problem is that the disconnect between decision-makers and security leaders can have very damaging consequences. The need for better communication and improved reporting is obvious.

In this post, we’ll explore challenges CISOs face in reporting to the board and give you a checklist for delivering reports that drive stronger engagement.

The Challenges of Cybersecurity Reporting to the Board

Lack of effective reporting to the board is an issue with broad causes and ramifications. According to Harvard Business Review, in a recent survey of 600 Board members, “Just 69% of responding board members see eye-to-eye with their chief information security officers (CISOs). Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. This means that directors and security leaders spend far from enough time together to have a meaningful dialogue about cybersecurity priorities and strategies.”

Here are some reasons it can be so hard to get it right:

1. Cybersecurity is a technical subject. There’s no way to avoid some technical terminology or metrics. And if you live and breathe these terms and numbers every day, you may struggle to translate these details into a business-friendly format. This can create a disconnect, wherein vital cybersecurity risks and solutions are misunderstood or undervalued by board members. This can limit the effectiveness of decision-making.
2. There’s a lack of standardized reporting metrics. Without a consistent framework, it’s difficult for boards to compare cybersecurity performance across different departments or against industry benchmarks. This inconsistency hinders discussions of key issues like resource allocation and risk prioritization.
3. It’s time-consuming and resource-sapping. Enterprise-level cybersecurity reporting itself – whether it’s effective or not – is usually time-consuming and resource-sapping. The time, expertise, and cost required to produce comprehensive reports lead many CISOs to resort to basic spreadsheets that don’t provide the level of detail or real-time data that board members need to make informed decisions. The result is outdated or incomplete information that undermines cybersecurity planning.
4. Sometimes, the wrong conversations are being had: As a CISO, you’re likely focusing on risk and threats, and the metrics, actions, and tools you need to stay secure. But the reality is that every organization is going to be breached at some point, so the conversations that fail to consider resilience – or planning for how to most optimally respond – are potentially limited in usefulness.

At the same time, Boards are aware of the need to be more engaged with the topic. Now that SEC reporting rules from 2023 mandate that public companies report material cybersecurity incidents quickly and explain cybersecurity risk management strategies annually, Boards know they need to wake up. 

Says the UK’s National Centre for Cyber Security (NCCS) “Board members don’t need to be technical experts, but you do need to know enough about cyber security to have constructive discussions with key staff, so you can be confident that cyber risk is being appropriately managed.” So how can you make sure you’re reporting to the board so that you translate security concerns into tangible business concerns and demonstrate that cyber risk and risk to the business are indeed the same thing?

Here’s Our Checklist to Having Better Board Meeting From Now on

• Tailor reports to the audience  

Avoid technical jargon and focus on delivering high-level overviews. Use clear language that aligns cybersecurity initiatives with business goals. Ensure that board members can grasp key risks and strategies without deep technical knowledge.

• Focus on business outcomes  

This one is truly essential. Frame cybersecurity in terms of its impact on the business. Highlight how security initiatives affect revenue, reputation, and customer trust. Compare the potential costs of inaction with the benefits of specific countermeasures.

• Provide actionable information  

Present insights that help the board make informed decisions. This includes outlining the effectiveness of current controls, identifying emerging risks, and quantifying the financial impact of cyber threats. This enables the board to prioritize investments.

• Use visuals where possible

Visual aids such as charts, graphs, and infographics can help board members understand complex cybersecurity concepts more easily. Visual representations of attack data can also make your presentation more engaging and memorable. 

• Use standardized reporting frameworks  

Consistent, structured reporting ensures comparability across business units and makes it easier for boards to track progress over time. Standardized reports also save prep time and improve the clarity of data presented.

• Include risk scenarios  

Use “what-if” scenarios to illustrate potential threats and their impacts. By outlining the consequences of various cyber risks, you provide context that helps the board assess the urgency of investing in specific mitigations.

• Report regularly 

Ensure the board receives frequent updates on the organization’s cybersecurity posture. Regular reporting keeps cybersecurity top of mind and ensures leadership is always aware of emerging threats and evolving risks.

Better Reporting for Better Security (and Business!) Outcomes

Building an effective board-CISO relationship requires clear, impactful communication. 

To make this happen, you need to work to extend the board-CISO collaboration beyond the basic compliance and risk mitigation. When reporting risk, remember that it’s not about security tools but the actual metrics that drive business decisions. If your reporting delivers on outcomes and not a laundry list of issues, you can realize your organization’s goals. (Want more info on how to report risk to the board? Grab your copy of A CISO’s Guide to Reporting Cyber Risk to the Board right here.) 

A strong board-CISO relationship builds a security-conscious culture at the highest level of the organization, enabling you to secure the resources and support needed to implement lasting, effective security measures. By focusing on clarity, business relevance, and actionable insights, you can transform board reporting into a powerful tool for advancing organizational security.