How to: Report to The Board

Published On: May 18, 2022

Here at TrustMAPP, we talk to CISOs daily. 

We spoke with over 20 CISOs about what the most important part of their report to the board is…and we got 20 different answers of course.

“Know your board… do research on other boards they serve on and companies they’ve worked for. ” – Jason Lish, CISO at Lumen Technologies

“There is no one ‘The board’. Learn what the board prefers in terms of communications both collectively and individually.” – Allan Alford, CISO at TrustMAPP

“I think numbers are going to be increasingly important with boards. We shouldn’t be asking the board for cash: they have a governance role, not an operational one.” – Rich Mason, Former CSO at Honeywell Global

We understand the importance of reporting to the board and the variations of said reporting. So, we’ve consolidated responses and variations in data representation and created a Board Reporting Best Practices Framework:

3 things to consider in your presentation before you start preparing:

  • How long will it take to put together?
  • Are you telling a compelling story?
  • Are you confident in the content?

What every board report should cover: 

  • Posture to An Industry Framework
  • A Heat Map of Highest Risk
  • A Discussion of “Intolerables” and POAM

The primary duties of a corporate board you should take into account:

  • Duty of Care – Prudent use of all assets, including facilities, people, and goodwill
  • Duty of Loyalty – Ensuring activities and transactions are in the company’s best interest and advancing its mission
  • Duty of Obedience – Ensuring compliance with all applicable laws and regulations and adherence to own bylaws and stated mission

5 questions your board WILL ask and how to answer them according to Gartner®

  • The Tradeoff Question: Are we secure enough? 
  • The Landscape Question: How bad is it out there?
  • The Risk Question: How exposed are we? 
  • The Performance Question: How are we performing?
  • The Incident Question: Are we prepared to respond effectively?

Responses to common questions asked by the board, according to Gartner:

Question 1: What is X? What should our approach to X be?

What they mean: We don’t know what bad, good, or great looks like.

How to respond: Provide a definition and big-picture representation of what the enterprise currently has and specifically how it got that way.

Question 2: Why do we need X, or why is X that way?

What they mean: We don’t know how to make decisions about this. 

How to respond: Map business capabilities to X and describe limitations of the current state

Question 3: What are our options regarding X? 

What they mean: Help us figure out the flexibility and levers we have in order to use this to impact business outcomes.

How to respond: Co-create and negotiate the strategic story through a persistent focus on cost/value/risk trade-offs of the different options. Do not endorse an option you do not control.

Question 4: How does X work?

What they mean: Tell us how it works so we can tell you what to do. 

How to respond: Educate, demonstrate and create a framework story to guide the conversation. 

Save time preparing your board report and tell the board what they really want to know.

Download and customize your Board Reporting Presentation Template HERE.

Browse These Topics


boost the protection of your data bridge the gap in your information security challenges build a cyber safe firm business decisions around security Challenges Facing Chief Information Security Officers CISO program efficacy CISO program management cyber security cyber security goals Cybersecurity management Cyber Security Mistakes cybersecurity performance management cyber security platform cyber security team Effective Data Security Measures effectively communicate with board members regarding cyber issues or threats elevate your security confidence elevating information security elevating your information security levels Identify Potential Security Weaknesses Implementing a Comprehensive Cyber Security Plan Implementing Strong Cyber Security Protocols Implementing strong security software protocols improve cyber security protocols Information Security Programs information security protection agency information security risk management information security solutions information security trends managing your information security effectively maturity of your information security and privacy programs measure security levels measure your security proprietary software can help you to protect your company Protect Against Costly Security Breach Protect Customer Data Protect Cyber Network risk management advisor risks of a data breach roadmap to better information security robust security monitoring service successful information security technology advancement top notch security software for your company traveling to high risk countries