Board Reporting for Security Professionals

Save time preparing your board report and tell the board what they want to know.

Here at TrustMAPP, we talk to CISOs daily.

We spoke with over 20 CISOs about what the most important part of their report to the board is…and we got 20 different answers of course.

“Know your board… research other boards they serve on and companies they’ve worked for.” – Jason Lish, CISO at Lumen Technologies

“There is no one ‘The board’. Learn what the board prefers in terms of communications both collectively and individually.” – Allan Alford, CISO at TrustMAPP

“I think numbers are going to be increasingly important with boards. We shouldn’t be asking the board for cash: they have a governance role, not an operational one.” – Rich Mason, Former CSO at Honeywell Global

Download the Toolkit

We understand the importance of reporting to the board and the variations of said reporting. So, we’ve consolidated responses and variations in data representation and created a Board Reporting Best Practices Framework:

Three things to consider in your presentation

  • How long will it take to put together?

  • Are you telling a compelling story?

  • Are you confident in the content?

What every board report should cover (Slides 4 – 11)

  • An Industry Framework

  • A Heat Map of Highest Risk

  • A Discussion of “Intolerables” and POAM

The primary duties of a corporate board you should consider

  • Duty of Care – Prudent use of all assets, including facilities, people, and goodwill

  • Duty of Loyalty – Ensuring activities and transactions are in the company’s best interest and advancing its mission

  • Duty of Obedience – Ensuring compliance with all applicable laws and regulations and adherence to own bylaws and stated mission

Five questions your board WILL ask and how to answer them according to Gartner®

  • The Tradeoff Question: Are we secure enough? (Slides 4 – 6)

  • The Landscape Question: How bad is it out there? (Slides 8 – 9)

  • The Risk Question: How exposed are we? (Slides 4 & 6)

  • The Performance Question: How are we performing? (Slides 4, 5 & 7)

  • The Incident Question: Are we prepared to respond effectively? (Slides 10 & 11)

  • We’ve also included a complimentary Gartner Report, “Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer.”

* GARTNER® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner, Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer, Sam Olyaei, Jeffrey Wheatman, 3 December 2020.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from TrustMAPP.*