Lost in translation: Cybersecurity board reporting for CISOs
Cybersecurity board reports don't always land. At the Security and Risk Management Summit 2026, Gartner analysts suggested a novel way to communicate cyber-risk to corporate directors.
Hundreds of security leaders from across industries recently packed a ballroom in National Harbor, Md., to tackle a challenge some consider even more daunting than nation-state hackers or AI-fueled cyber threats: presenting to a company's board members so they understand and appreciate the formidable cybersecurity risks the organization faces.
"How many of you get excited when your annual car insurance premiums come up for renewal?" said Sam Olyaei, a managing vice president at Gartner, during the session at the Gartner Security and Risk Management Summit 2026. "That is how the board has viewed cybersecurity. It's a regulatory thing. It's a checklist. It's an attestation."
Ten years ago, according to Olyaei and Gartner analyst Tom Scholtz, only 25% of CISOs presented to their boards. A show of hands from session participants suggested nearly all do today. With major data breaches now often making headlines, the board's view of those presentations is also changing. According to Gartner, 93% of board members agree that cyber-risk poses a threat to shareholder value, while 98% believe threats will grow within the next two years. The challenge, according to Olyaei and Sholtz, is that executive boards don't share the same priorities as CISOs and rarely speak the same figurative language.
Know your audience
CISOs in attendance shared that they struggle to translate the abundance of operational data into narratives that resonate with their boards. That problem stems from a common disconnect, according to the Gartner analysts.
"Many of the reports that I review are actually structured around cybersecurity, not around the business," Scholtz said. "When we talk about things in cybersecurity terms, we get very enthusiastic about it. My wife says, 'Normal people don’t get excited about that stuff.'"
Know your audience and consider what they can easily digest, Olyaei added. Otherwise, important messages get lost in translation.
Use financial reports as templates
Many of the reports that I review are actually structured around cybersecurity, not around the business.
Tom ScholtzAnalyst, Gartner
CISOs should try using monthly or quarterly financial reports as templates for cybersecurity board reporting, the Gartner analysts suggested. Finance is the lexicon of the board, and a cybersecurity report that follows that structure makes intuitive sense to corporate directors.
Olyaei and Scholtz presented the following example:
Balance sheet: Cybersecurity program's current state
Analogous to a financial report's balance sheet, this section provides a point-in-time snapshot with easily digestible heat maps and logarithmic scales showing top cyber-risks and potential financial impact.
Program status is presented as the state of execution against the approved strategy roadmap and the number of projects started, completed or overdue. The board sees the statuses of production-level agreements, such as patch cadence, incident containment time and incident remediation time. Through charts and graphics, this section also summarizes penetration tests, vulnerability assessments and audit findings.
Income statement: Cybersecurity business performance
Like a financial report's income statement shows macro changes in business performance, this section does the same for cybersecurity. It communicates expected financial losses or improvements due to threats, automation, process changes, the regulatory environment or external trends.
This section shows cybersecurity resource efficiencies for a given period of time, serving the same purpose as a cash flow statement. It provides visibility into performance against the cybersecurity budget, tracking expenses for staff, services, hardware and software by functional category. Boards can see benchmarks and trends, such as the number of full-time security staff members or the percentage of IT budgets dedicated to security.
Narrative and notes
Finally, the narrative section allows the CISO to summarize findings, provide context, offer more information, surface new issues and make any requests of the board.
Position yourself as a business leader
The Gartner analysts reminded conference attendees that a CISO, if lucky, will get only five to 10 minutes to present cybersecurity updates to the board.
As a best practice, they recommended selecting a stable, minimum set of indicators and metrics for each section that stays consistent across reports. Every data point should tell its own unique story within the context of the report section, the analysts stressed. Upon drafting the framework, circulate it among key leadership stakeholders.
Sholtz said that CISOs can gauge the success of this new reporting model by if it does the following:
Generates positive responses and constructive feedback from the board.
Gives the board the information needed to oversee cybersecurity and make decisions more effectively.
Reduces the number of awkward or stilted questions from board members.
"There's a challenge in CISOs being looked at as technical leaders -- being looked at as technology first, business second," Olyaei said. "One of the unintended consequences of this framework is that it also elevates the profile of CISOs as [business] leaders."
Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.
