CISO's guide to creating a cybersecurity board report
An effective cybersecurity board report influences executive decision-making at the highest levels. Learn how to write a report that resonates with corporate directors.
In today's threat-dense digital environment, shareholders and the public expect corporate boards to understand cybersecurity issues and what they mean for the bottom line. Since 2023, the U.S. Securities and Exchange Commission has required public companies to disclose their boards' cyber-risk oversight practices, given that such information might reasonably influence investor decisions.
The SEC mandate elevates the importance of clear, concise and informative cybersecurity board reports. Far more than just satisfying regulatory requirements, these reports can guide strategic decisions, demonstrate cybersecurity governance and support risk-informed business continuity.
Here are some suggestions for CISOs aiming to write compelling and compliant cybersecurity board reports.
What is a cybersecurity board report?
A cybersecurity board report is a document written by security leaders, usually the CISO or security team, for corporate directors. This document has three key goals:
It gives corporate directors an overview of the organization's security posture and cyber-risk outlook.
It updates them on key security initiatives and investments.
It provides strategic recommendations from the CISO.
CISOs must write cybersecurity board reports in a language directors understand, translating complex technical information and relating it to business objectives.
Why are cybersecurity reports to the board important?
Boards are now expected to understand, interrogate and guide their organizations' cybersecurity strategies to optimize business outcomes. But many corporate directors come to the table with little cybersecurity expertise and limited understanding of their organizations' security programs.
Clear, transparent and actionable cybersecurity reports give boards the information they need to understand cyber-risk as business risk and fulfill their oversight responsibilities.
Clear, transparent and actionable cybersecurity reports give boards the information they need to understand cyber-risk as business risk and fulfill their oversight responsibilities. This strengthens both corporate resilience and stakeholder trust.
Board reports also give CISOs the opportunity to grow their influence, advance their strategic agendas and bridge the gaps between their security programs and senior business leaders. A 2023 Harvard Business Review survey found just 69% of board members said they see eye to eye with their CISOs -- a statistic that underscores the need for effective engagement with executive decision-makers.
Key elements of a cybersecurity board report
The board's primary responsibility is to facilitate the company's long-term financial success. As such, directors need a comprehensive, strategic overview of the organization's security posture and cyber-risk outlook, rather than an in-the-weeds, tactical and operational play-by-play.
With this in mind, consider organizing the cybersecurity board report into thematic sections, as follows.
Executive summary
Provide a brief overview of key insights, takeaways, recommendations and action items. The executive summary should tell a coherent story about the organization's current cyber-risk outlook and what it means for business objectives.
Cyber-risk overview
Align the cyber-risk overview with the enterprise risk management program and contextualize it within broader enterprise risk narratives. Boards need, first and foremost, to understand how cyber-risk intersects with financial, operational and compliance risks to affect business outcomes.
Outline key cyber-risks facing the organization -- including those from third-party partners -- and assess the effectiveness of existing controls. Include cyber-risk scenario analysis or stress test summaries to illustrate how cybersecurity influences business continuity and outcomes.
To measure and track cyber-risk levels in board reports over time, consider the following mechanisms:
Provide a high-level summary of the company's threat environment, including emerging attack trends, major attacks on peer organizations and relevant geopolitical developments.
Key risk metrics
Present relevant key risk indicator (KRI) and key performance indicator (KPI) metrics, such as phishing success rates, intrusion attempts, vulnerability patching timelines and insider threat alerts.
Be intentional about which KPIs and KRIs you include -- share only those that you can directly connect to business objectives. Cybersecurity for cybersecurity's sake should not be the aim, and superfluous data can overload the reader and distract from key takeaways.
Incident response overview
Summarize the organization's incident response plan, including the thresholds and processes for board involvement. Outline the mechanisms through which the board learns of active cyberincidents, such as threat briefings, event dashboards and formal escalation protocols.
Describe recent incidents, responses, outcomes and post-incident remediation efforts.
Regulatory updates
Flag any changes in cybersecurity laws or industry standards that could affect regulatory compliance or operational security. Note that, given the rapid evolution of the cybersecurity threat landscape, regulatory updates occur frequently, especially in tech-heavy states, such as California.
CISOs at public companies should also include information relevant to SEC disclosure requirements, such as the following:
Oversight responsibility. Review which board entity -- e.g., committee, subcommittee or individual director -- is responsible for cybersecurity oversight. Typically, this falls to the risk committee, appropriately positioning cybersecurity as a business risk, not merely an IT issue.
Engagement frequency. Detail how often the board or its designated subgroup meets with the CISO. The best practice is quarterly board discussions, plus monthly meetings with the relevant -- e.g., risk -- committee. Additional meetings could be ad hoc, in the case of significant security incidents.
Strategic initiatives
Highlight progress on cybersecurity roadmap items, such as zero-trust implementation, cloud security posture improvements or third-party risk assessments.
Illustrate how cybersecurity is embedded in business strategy, such as in M&A, digital transformation and supply chain risk evaluations.
Board actions and recommendations
Make any strategic recommendations and new budgetary requests, being sure to position them in terms of enterprise risk and business objectives. Include relevant resources, such as current and projected security investments, ROI, staffing levels, and other resource gaps and recommendations.
Best practices for reporting cybersecurity to the board
Consider the following best practices to make cybersecurity board reports as useful and influential as possible:
Focus on business risk. A risk-based approach ensures the report is relevant, comprehensible and useful to the board.
Be clear and concise. The typical corporate board juggles many competing priorities, leaving members limited time and attention to spend on any single topic. Therefore, an effective cybersecurity board report should be concise, focused and intuitively structured.
Include executive summaries. Present key findings and takeaways in an executive summary for quick and easy reference.
Use visuals. Use visuals, such as charts and graphs, to engage readers and illustrate key points.
Highlight trends. Build a coherent narrative about the state of security by noting key trends -- in KRIs, KPIs, industry benchmarks and threat activity -- and what they mean for the business.
Avoid technical jargon. Jargon and acronyms can alienate nontechnical board members and undermine the CISO's influence at the executive level.
Report to the board quarterly. Best practice dictates that the board should formally discuss cybersecurity at least quarterly, with risk committee discussions monthly. Call additional meetings as necessary for significant incidents.
Document cybersecurity board engagement initiatives. Cybersecurity competency at the board level is no longer optional. Consider using the report to document ongoing board training initiatives, involvement in tabletop exercises and engagement with external cybersecurity experts.
Jerald Murphy is senior vice president of research and consulting with Nemertes Research. With more than three decades of technology experience, Murphy has worked on a range of technology topics, including neural networking research, integrated circuit design, computer programming and global data center design. He was also the CEO of a managed services company.
Alissa Irei is senior site editor of Informa TechTarget's SearchSecurity site.
