Here at TrustMAPP, we talk to CISOs daily. The one topic that is top of mind is how to report to the Board.

We spoke with over 20 CISOs about what the most important part of their report to the board is…and we got 20 different answers of course. A few of the key elements of Cybersecurity Board reporting include:

1. Understand your Board members. Where they come from, their background, and the types of issues they are most familiar with given their professional experience and the industries they have expertise.

2. Learn the type of communication the Bord prefers. There will be varying degrees of Board members who like charts and aggregated visual aids. In contrast, others will prefer tables and numerical metrics.

3. Quantifying cybersecurity performance is increasing and understanding numbers that drive the KRI’s and Metrics, like a CEO does for the business, is becoming increasingly critical for success as a cybersecurity leader.

“Know your board… research other boards they serve on and companies they’ve worked for. ” – Jason Lish, CISO at Lumen Technologies

“There is no one ‘The board’. Learn what the board prefers in terms of communications both collectively and individually.” – Allan Alford, CISO at TrustMAPP

“I think numbers are going to be increasingly important with boards. We shouldn’t be asking the board for cash: they have a governance role, not an operational one.” – Rich Mason, Former CSO at Honeywell Global

We understand the importance of reporting to the board and the variations of said reporting. So, we’ve consolidated responses and variations in data representation and created a Board Reporting Best Practices Framework:

3 things to consider in your presentation before you start preparing:

  • How long will it take to put together?
  • Are you telling a compelling story?
  • Are you confident in the
    How to Report to the Board

    Download the CISO Board Reporting Template


What every board report should cover:

  • Posture to An Industry Framework
  • A Heat Map of the Highest Risk
  • A Discussion of “Intolerables” and POAM

The primary duties of a corporate board you should take into account:

  • Duty of Care – Prudent use of all assets, including facilities, people, and goodwill
  • Duty of Loyalty – Ensuring activities and transactions are in the company’s best interest and advancing its mission
  • Duty of Obedience – Ensuring compliance with all applicable laws and regulations and adherence to own bylaws and stated mission

5 questions your board WILL ask and how to answer them according to Gartner®

  • The Tradeoff Question: Are we secure enough?
  • The Landscape Question: How bad is it out there?
  • The Risk Question: How exposed are we?
  • The Performance Question: How are we performing?
  • The Incident Question: Are we prepared to respond effectively?

Responses to common questions asked by the board, according to Gartner:

Question 1: What is X? What should our approach to X be?

What they mean: We don’t know what bad, good, or great looks like.

How to respond: Provide a definition and big-picture representation of what the enterprise currently has and specifically how it got that way.

Question 2: Why do we need X, or why is X that way?

What they mean: We don’t know how to make decisions about this.

How to respond: Map business capabilities to X and describe the limitations of the current state

Question 3: What are our options regarding X?

What they mean: Help us figure out the flexibility and levers we have to use to impact business outcomes.

How to respond: Co-create and negotiate the strategic story through a persistent focus on cost/value/risk trade-offs of the different options. Do not endorse an option you do not control.

Question 4: How does X work?

What they mean: Tell us how it works so we can tell you what to do.

How to respond: Educate, demonstrate, and create a framework story to guide the conversation.

Save time preparing your board report and tell the board what they want to know.

Download and customize your Board Reporting Presentation Template HERE.