Six Categories CISOs Should Address in the Board Report

When reporting on your InfoSec compliance program to the Board, the main goal is to ensure board members are aware of high-risk cybersecurity items and InfoSec has the appropriate budget to address them. To accomplish this, InfoSec should prepare a strong narrative, and any request should be backed by compelling evidence. AuditBoard’s new ebook, The InfoSec Survival Guide: Achieving Continuous Compliance, explores how organizations can best report on their compliance processes and gain support from the Board for critical areas. Download the full guide here, and continue reading below for six categories to address in your board report. 

Six Categories CISOs Should Address in the Board Report

While there are many ways a CISO can go about board reporting, applying a risk-based approach allows them to summarize InfoSec’s efforts and align them to critical areas of focus – enabling a higher level of communication in the boardroom. A risk-based approach enables the CISO to direct the board’s attention to high-risk areas, justify why InfoSec is not focusing on lower-risk areas, and provide a reasonable rationale for why things are being done the way they are. Board reports are typically a mix of emerging topics, relevant trends, and the failure/implication of KPIs. These are broken down in more detail below.

1. Emerging topics 

The goal of this portion of your report is to provide sufficient context — the “Why” — for any investment you are receiving or asking for. Use current events or trends from within your organization or your industry that will have an impact on the InfoSec program, either because they present new risks or threats, or because they present new requirements or expectations. Connect these emerging topics to organizational goals or objectives. Examples of emerging topics include: 

• Recent incidents and their business impact.
• Rise in supply chain security incidents across competitors, representing an emerging threat for the organization.
• Emerging regulatory pressures from the federal government or privacy regulators.
• A macroeconomic situation that increases the likelihood of insider threats.​

2. KPIs

Key performance indicators provide a snapshot of the effectiveness of your InfoSec efforts. Good KPIs are a measurement of the company’s own performance against key security metrics. KPI attributions by leader, department, or team demonstrate where executive attention is needed on corrective action. Examples of KPIs include: 

• Percent of compliance framework requirements met.
• Number of overdue action plans by team.
• Percent of systems meeting patch levels by team.​​​​​​

3. Financial Impacts

This section of your board report covers financial loss due to security incidents or regulatory fines. Financial impacts can be motivators for increased investment in compliance resources, such as integrated risk technology, analytics software, or outside expertise. 

4. Compliance revenue impacts  

Compliance revenue impacts cover the number of deals or revenue amount won or lost based on the company’s ability to meet InfoSec requirements. Compliance revenue impacts can be motivators for taking on new compliance goals, such as obtaining a new security certification. 

5. Issues/areas requiring board support

Coverage of issues in the InfoSec report to the board is a subset of KPIs. While audit management also reports on issues to the board, the board should be made aware of any InfoSec issues at a high level to help enforce issues remediation. 

6. Appendix

This is your opportunity to tie your metrics to revenue-generating impacts, connect KPIs to KRIs, and include any appropriate information required to gain board support for non-compliant events. This is also an opportunity to provide supporting materials that are often referenced when presenting the summary of the topics above. For example: if you are seeking board approval for FedRAMP compliance (which may be presented as an emerging topic), the appendix may contain a cost-benefit analysis of pursuing FedRAMP certification (authorization) that covers:

• Loss of existing revenue if not pursued vs. cost of certification.
• Increase in total addressable market if pursued vs. cost of certification.
• Cost of continued reporting.
• Timelines for implementation/remediation, certification, and renewal.

To learn more about building a risk-based InfoSec compliance program and other reporting best practices, download the full ebook, The InfoSec Survival Guide: Achieving Continuous Compliance.