Key Points
Cybersecurity has often been little more than an afterthought for board members, either a box ticking exercise for compliance, or to make sure all bases are covered after a newsworthy breach. If there’s little technical knowledge at board level, many were happy to throw money at the problem and leave it to the CTO, CISO or IT team to handle.
But times have changed. Threats are becoming more sophisticated as the attack surface and vendor ecosystems have expanded. And despite significant investment in cybersecurity, the frequency and severity of attacks has not decreased.
As a result, board members are taking more interest in cybersecurity. They want assurance and expect to see a return on their investment in security solutions. So, it’s never been more important to measure, manage and communicate your security program and controls to the board.
Your role as security leader
Whatever your job title, if you’re responsible for the cybersecurity of your organization, one of your main roles is to make sure the board understands the organization’s cyber risk. But to do this effectively, you need to be able to convey security risks in business terms and help the board understand how cybersecurity impacts the company directly.
But with no standard framework, it’s no surprise that many CISOs and CTOs create their own custom reports, tailored to their specific organization. This guide has been designed to help you understand what and how to report to a board in various scenarios. We’ll explain what the board is looking for, how to simplify the complexity, and how to choose the right cybersecurity frameworks and metrics.
Agree your ‘risk appetite’
Firstly, make sure the board accepts that there is always risk. Even the strongest cybersecurity posture is not free of risk. Before you know how much effort and resources you can invest, first you need to understand the board’s ‘risk appetite’ - what’s the worst that could happen if you get hacked? This is not the same for every organization and so the answer will shape how much you get to play with and set expectations.
Ask the board what worries them, since the answers will help you understand their priorities and perception of cybersecurity. They might not understand the risk, your vulnerabilities or what threats you face. If so, you’ll need to go back to basics and explain the threats themselves – such as phishing attacks which could result in malware that infects your data, or how an employee that fails data protection protocols could cause a data breach. Then explain how vulnerabilities are the gaps or weaknesses in your systems that make these threats possible.
Alternatively, they might be well aware of your vulnerabilities and the risks they pose, and have precise ideas about what their tolerance for security risk should be, given other strategic objectives. But be warned: execs and boards who don’t accept there is always a residual risk may not be the right organizations to work for!
Define the cyber risk
If the business has gone to the trouble of hiring a CISO or invest in a robust security program, it’s unlikely the board wants to reduce its tolerance to risk – there’s a big difference between addressing the OWASP Top 10 and accepting low or even ultra-low-level risk.
Ultra-low relates to high-security government institutions when you’re not willing to accept any risk posed by nation state-backed threat actors, zero day vulnerabilities, or where exploitation can result in physical harm – so it unlikely to be relevant to a business like yours.
But you do need to work with the board to understand what the right level of security looks like for your organization, and how much investment, effort and resource that will require. For example, your board may decide not to acquire a company because the security risk is too great. They could choose to control, mitigate and reduce the impact of a threat by investing in security tools and expertise. They can transfer the risk by taking out cyber insurance. Or they can accept the risk and potential impact of business interruption with a contingency budget.
Moving to operational
Many security leaders and CISOs rely on “maturity models” designed around functional areas to give an overview of the strengths and weaknesses of your cyber security. These structure the information in a way that gives both a snapshot of a particular point in time, and progress over time. However, even the National Cyber Security Centre (NCSC) admits there’s no one size fits all model, and advises you to make a custom framework or use a template – here are some useful examples:
- Gartner’s IT Score for Security and Risk Management
- NIST Cyber Security Framework
- CIS Critical Controls
- Forrester Infosec maturity assessment
These vary in depth and detail, but they have common themes, so choose one that suits your organization. Use the assessments to give yourself a score in each area. Use it as a living document that you can update as your understanding and needs change and the business evolves.
It can be useful to present to exec teams monthly with any changes or impacts, and then present a high-level version on a quarterly basis to the board.
All these templates suggest you assign scores and set targets upfront. For example, if you want to score a 4 across all functional areas, then you can present these to the board as red/amber/green. If you score a 0 or 1 it’s red, 2 or 3 it’s amber, and 4 or 5 is green. Plotting these across a dashboard will instantly show progress over time as well as a heat map of where any problems still lie.
Check your cyber hygiene
For businesses, cyber hygiene requires a two-pronged approach to address both technical and nontechnical issues. Technical issues center on security controls, or countermeasures that reduce risks. Nontechnical issues are the policies and procedures that guide how you manage your cyber security, including employee training and security awareness.
Maturity models can also help you structure and strengthen your cyber hygiene, but in terms of understanding what maturity level you’re at – this is where your tools can help you.
Traditional tools tell you how many vulnerabilities you have, but what’s important is whether the process is working. Are you fixing vulnerabilities on a regular cadence; are you fixing criticals within the specified SLA? It doesn’t matter if one came up yesterday if it’s going to be fixed in 24 hours. Don’t confuse your reporting to the board with state-of-play vs. state-of-process.
The overall numbers are meaningless: you can’t stop the tide, so don’t report on “how many vulnerabilities we have”; this is of no use to the board. Vulnerability management tools like Intruder will help you focus on what’s important to save you time and effort.
For example, what if you’ve got an old box sitting in the corner that can’t be upgraded and is a stain on your cyber hygiene? The right vulnerability management tool can help by uncovering and adding mitigation reasons to vulnerabilities like these, which you can present separately in your report. We’ve written a guide to help with vulnerability assessment reporting.
Break it down or consolidate?
Depending on the size of your business, you could break down your report into separate business units but it’s probably more useful for the board to see a consolidated view. Try giving each functional area an overall score and record why you’re scoring it that way, so you can see what needs to be addressed.
Give the board the right information so you don’t overwhelm them or leave them unsure about where to focus. They just need assurance that your security function works — not a complete digest of what the team is doing.
Two processes critical to this are the monitoring, alerting, and escalation of incidents (how your team knows that something has gone wrong, and how quickly the correct people know) and the response (what your security team does if there’s a breach).
However, you should also report any significant gaps, what’s the potential impact, whether to accept them, or if you need further resources to address them. Explain how your team scans for and assesses emerging risks, and what those risks might be.
Reassure them that they are addressed methodically and in good time, and that you practice good cyber hygiene. And if not, what resources you need to do so.
Keep it simple and on point
Different types of meeting require a different presentation style and set of metrics. If you’re meeting the board for the first time, the board will want to hear your assessment of the current state, what’s working, what needs to change, what your goals are, and what you need to get it done.
It’s key to show that you have command of the situation, and more importantly, a vision for the future. This is an opportunity to build rapport and trust. The success of everything else you might report to the board flows from this early investment in your time.
If you’re reviewing budgets, the board will want to see results related to business outcomes. In annual planning and strategy meetings, you’ll need to show you’re in sync with the needs of the business and its strategic priorities.
For example, if one of the goals is to have 50% of digital assets move to the cloud, you should present a plan to facilitate that by de-risking the process. In monthly or quarterly status updates, the board wants to hear what you’re prioritizing and why. Do you have the personnel and budget to execute on everything that needs to be done?
When vulnerabilities hit the headlines
When a vulnerability does hit the headlines, event-driven board meetings can be stressful, but if you’ve done your tabletop exercises, you should be ready. Be prepared to succinctly speak in non-technical language about what happened, what it means, and how it can be solved.
Don’t avoid the questions – your board should trust you. If you’re using a vulnerability scanner like Intruder, you can show that you’ve identified any vulnerabilities and emerging threats because it provides reports and guidance that’s easy to export, understand and action. Peace of mind is priceless, so when there is an issue, you can reply to the board that there’s no need to panic. Check out Intruder's reporting and analytics below.
Keep your reporting up-to-date
Threats and vulnerabilities change constantly. Either new threats emerge, new technologies pose new challenges, regulations change, or the company shifts to new operations.
No single, static report to the board can encompass all those things for long. Your report to the board therefore should always be a conversation as much as a structured report. The conversation should guide what that structure should be – not vice-versa. And the conversation should always start with the question:
“How well protected are we, and is that protection enough?”
Why not see how Intruder can be a core part of your cybersecurity program? It's powerful but designed for simplicity, with easy to understand and action reporting - ideal for your state-of-play reports to the board. Start your free trial today or get in touch for more information.