How to: Report to The Board

Published On: May 18, 2022

Here at TrustMAPP, we talk to CISOs daily. 

We spoke with over 20 CISOs about what the most important part of their report to the board is…and we got 20 different answers of course.

“Know your board… do research on other boards they serve on and companies they’ve worked for. ” – Jason Lish, CISO at Lumen Technologies

“There is no one ‘The board’. Learn what the board prefers in terms of communications both collectively and individually.” – Allan Alford, CISO at TrustMAPP

“I think numbers are going to be increasingly important with boards. We shouldn’t be asking the board for cash: they have a governance role, not an operational one.” – Rich Mason, Former CSO at Honeywell Global

We understand the importance of reporting to the board and the variations of said reporting. So, we’ve consolidated responses and variations in data representation and created a Board Reporting Best Practices Framework:

3 things to consider in your presentation before you start preparing:

  • How long will it take to put together?
  • Are you telling a compelling story?
  • Are you confident in the content?

What every board report should cover: 

  • Posture to An Industry Framework
  • A Heat Map of Highest Risk
  • A Discussion of “Intolerables” and POAM

The primary duties of a corporate board you should take into account:

  • Duty of Care – Prudent use of all assets, including facilities, people, and goodwill
  • Duty of Loyalty – Ensuring activities and transactions are in the company’s best interest and advancing its mission
  • Duty of Obedience – Ensuring compliance with all applicable laws and regulations and adherence to own bylaws and stated mission

5 questions your board WILL ask and how to answer them according to Gartner®

  • The Tradeoff Question: Are we secure enough? 
  • The Landscape Question: How bad is it out there?
  • The Risk Question: How exposed are we? 
  • The Performance Question: How are we performing?
  • The Incident Question: Are we prepared to respond effectively?

Responses to common questions asked by the board, according to Gartner:

Question 1: What is X? What should our approach to X be?

What they mean: We don’t know what bad, good, or great looks like.

How to respond: Provide a definition and big-picture representation of what the enterprise currently has and specifically how it got that way.

Question 2: Why do we need X, or why is X that way?

What they mean: We don’t know how to make decisions about this. 

How to respond: Map business capabilities to X and describe limitations of the current state

Question 3: What are our options regarding X? 

What they mean: Help us figure out the flexibility and levers we have in order to use this to impact business outcomes.

How to respond: Co-create and negotiate the strategic story through a persistent focus on cost/value/risk trade-offs of the different options. Do not endorse an option you do not control.

Question 4: How does X work?

What they mean: Tell us how it works so we can tell you what to do. 

How to respond: Educate, demonstrate and create a framework story to guide the conversation. 

Save time preparing your board report and tell the board what they really want to know.

Download and customize your Board Reporting Presentation Template HERE.

Browse These Topics


Assess Company's Security Readiness automate and visualize information security risk management better understanding of their information security management boost the confidence of board members boost the protection of your data corporation’s information security create a security roadmap cyber attack Cyber defense experts cyber security determining cyber risks developing security programs across the business Easy to Understand Data Security Solution effective cyber security software Effective Data Security Measures Good Cyber Hygiene guide development of a strong information security high quality cyber security tools house being robbed Identify Potential Security Weaknesses information security dashboard information security management information security managers information security platform Information Security Programs maintain advanced cyber security maintain the control and strength of your firm’s cyber security manage security programs success Managing information security prioritize security functions professional information security Progressive Data Security Solutions Proposing solutions to cyber threats reliable cyber security platform reliable information security dashboard responsibilities of a CISO risk assessment software stay ahead of potential cyber threats strengthening your company’s security measures strength of your company’s information security strong information security programs vCISO Visualization of Information Security Risk Management Visualize Information Security Risks visual representation of security risk in an organization