Connect with us

Hi, what are you looking for?


CISO Strategy

CISOs and Board Reporting – an Ongoing Problem

Boards often complain they receive overly-technical reports from management teams that fail to put governance in business and financial terms.

CISO Board Cybersecurity

For CISOs to gain the support of the board, they must first translate and report highly technical cybersecurity concerns and solutions into a language that can be understood by less technical businesspeople. The quality of this reporting becomes directly proportional to the degree of board support and the subsequent implementation of enterprise cybersecurity.

CyberSaint, a risk management company, has talked to CISO members of the Advanced Cyber Security Center (ACSC) about this problem. The purpose was to uncover the challenges, opportunities, and effectiveness of risk reporting in large enterprises.

The primary challenges for CISOs are threefold: the technical complexity of the issues concerned, making it difficult for non-technical businesspeople to understand; the lack of any standard reporting metrics, making it difficult to compare performance across business units within an organization and industry peers in other organizations; and the time, expertise, and cost of reporting, causing many CISOs to resort to simple spreadsheets.

The three primary priorities that business leaders seek to understand are the management of strategic risk; the organization’s alignment with compliance requirements; and how cybersecurity purchases affect top-of-mind threats (such as ransomware).

Most of the CISOs believe their boards want better reporting on these and other subjects, and the CISOs (almost 60%) are trying to improve their methods. But boards still complain they receive “overly-technical reports from management teams that fail to put governance in business and financial terms”.

Six ‘best practices’ emerge from the discussions with CISOs:

Tailor reports to the audience. “Boards and executive leadership typically require high-level overviews and key performance indicators, without diving deep into technical details,” says the report (PDF).

Advertisement. Scroll to continue reading.

Focus on business outcomes. Reporting should focus on business outcomes, such as revenue, reputation, and customer trust. This should compare the outcome of doing nothing with the outcome of taking specific countermeasures.

Provide actionable information. This is related to the previous recommendation. “Actionable guidance should include effectiveness of current controls, emerging risks, and the potential impact of cyber threats in dollars,” says the report. That is, potential investments versus potential losses.

Use a standardized reporting framework. A standard format helps consistency and comparability across departments and stakeholders, and reduces the time and effort needed to prepare the reports.

Include risk scenarios. The ‘what-if’ illustration of potential threats and their potential impact helps businesspeople to contextualize the relative need for investment in specific mitigations.

Regularity. Reporting should be done regularly to ensure the board and executive leadership have accurate and timely information on the organization’s security posture. Noticeably, almost 80% of the CISOs reported their own frequency of reporting has increased over the past three to five years.

SecurityWeek talked to Padraic O’Reilly, co-founder and CPO at CyberSaint, for his take on the major takeaways from the report. “Things are slowly improving,” he said; “but historically there has always been a disconnect between cybersecurity and the board. CISOs still fall back on the technical. They can’t help themselves — that’s the world they live in. For their part, the board hasn’t been able to translate this technical jargon into the financial profit and loss world they inhabit.”

The change now is that both sides have been forced to recognize they are ‘on the hook’ for cybersecurity. Public companies are required to disclose material cybersecurity incidents within four business days, and are further required to include an annual report on the board’s oversight of cybersecurity risks. From the security angle, the prosecution of Uber’s then CISO Joe Sullivan for ‘misleading’ the board demonstrates that CISOs also have a legal liability for their actions. Such personal legal liability is only expected to increase over the next few years.

The problem remains, how can CISOs and boards bridge the lingering disconnect — and accurate and meaningful reporting is a major factor. Part of the solution, said O’Reilly, is the current push by CISOs to automate as much as possible. “It’s one of the shameful secrets of cyber,” he said: “the data is often too old to have any real value at the level of risk assessment.” Automating areas such as configuration checks on a daily basis means the CISO always has current data to report.

This approach can be extended by developing or buying a dashboard system. Ideally, key points would be displayed at upper levels, with the ability to drill down into greater granularity wherever and whenever required. 

It would aid three of the six ‘best practices’: it provides a standardized reporting framework for all reporting; and it allows more frequent and regular up-to-date reporting. ‘What-if’ scenarios could also be part of a dashboard approach.

But it is still only part of the reporting problem. It provides data on the company’s current security posture, but it doesn’t automatically assist in future planning for solutions to newly emerging threats.

Clearly, there is much that CISOs can do to improve the quality of their board reporting, but just as clearly, it remains a serious problem.

Related: SecurityWeek’s CISO Conversations Series

Related: CISOs and the Quest for Cybersecurity Metrics Fit for Business

Related: CISOs Risk Getting Fired Over Poor Reporting

Related: Prepare for What You Wish For: More CISOs on Boards

Related: The End of “Groundhog Day” for the Security in the Boardroom Discussion?

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

U.S. Marine Corps and SAIC CISOs Discuss the Differences Between Government and Private Industry

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

While the BISO might appear to be a new role, it is not – and understanding its past provides insights into its present.

CISO Conversations

SecurityWeek examines the role of the virtual CISO in a conversation with Chris Bedel and Greg Schaffer.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.