menu close
  • Back

With board members increasingly being held liable for security breaches under APRA, their interest in cybersecurity is, understandably, growing.

As the CIO, you represent the conduit through which most board members receive insights into their organisations’ cyber resilience. Yet, despite the potential weight of this responsibility, there is a right way and a wrong way to report on cybersecurity and related topics to your board.

Understanding what board members need to hear from you to make risk-aware decisions can help you to more effectively protect your company.

The Essential Eight: Your role as an educator

Apart from their growing responsibility for cyberattacks and data breaches, many board members aren’t educated on cybersecurity—let alone on the implications of their actions (or inactions). Educating the board and the rest of the C-level suite on cybersecurity best practices is one of the key responsibilities of the CIO—and the Essential Eight (E8) framework represents a good place to start.

E8 is a series of eight cybersecurity mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to harden systems and make them less vulnerable to attack. Not only is the framework generally easy to understand, but it’s also easy to measure organisational compliance against using E8 assessments.

That said, while educating board members on the E8 framework increases their cybersecurity fluency, it’s important to note that—much like the ‘Pirate Code’ in the Pirates of the Caribbean movies—it’s really more of a set of guidelines than it is a true code. With the exception of government non-corporate entities, E8 compliance isn’t mandated for organisations, but still provides a useful measure of maturity and a good baseline for cybersecurity conversations.

CIO reporting: what not to do 

Now, before we cover what should be in your board report, let’s rule out a few items that should not be included.

For example, you can leave off excessive operational detail. While data points like the number of service desk calls your department resolved should be reported at an IT level, this information holds limited value for board members.

Similarly, you should try to avoid what Head of Governance and Compliance at Canon Business Services ANZ (CBS), Peter Kenny calls the firehose of vulnerabilities—that is, presenting board members with a list of every single risk factor you’ve identified.

“You're sitting there as a board, and you see this table of vulnerabilities. What does that mean to you as a board member? It means nothing; it's just white noise,” he explains. “How can you, as a board member, make some sort of informed decision on either the approach or accepting the risk and letting that vulnerability run? It is counterproductive in the extreme, and it actually poses a real risk to the enterprise going forward.”

Context is important as well. Kenny recalls an instance where he reviewed a CIO’s board report that included a table listing 15 vulnerabilities—eight of which had been remediated that month. “That’s good, but of the seven you haven’t remediated, how critical are they? That’s the type of insight that a CIO needs to assist the board in establishing,” he says.

IT Security Checklist

Transform Your Cyber Defense: Prioritised Actions for Staying Ahead of Threats.


Preparing a board report on cybersecurity

So what should you include instead? While there’s no simple formula for what should go into a board report on cybersecurity, there are a few guidelines you’ll want to keep in mind.

Think about who you’re reporting to

Are you reporting to the board directly, or are you reporting to a cybersecurity committee on the board? While having a cybersecurity committee—especially one linked to an audit committee—is ideal, knowing to whom you’re reporting should inform your understanding of their cybersecurity knowledge (and, consequently, what your report should include).

If a cybersecurity committee exists, they’ll likely take inputs from audits and the business, review these findings, and then present their insights in a high-level, risk-managed statement back to the board. Board members would then be empowered to assimilate the committee’s recommendations, make decisions, and then provide guidance regarding the actions that are in the best interest of their shareholders.

However, although cybersecurity committees are gaining momentum, they aren’t yet the norm. Where they don’t yet exist, your reporting will likely go directly to the board and should take their level of expertise into account.

Keep your report high level

Those sitting on a board—whether they’re part of a cybersecurity committee or not—really need to see high-level, key information such as trendings, costings, and risk statements in order to make informed decisions.

As an example, Kenny shares, “You might present something like, ‘Over time, the trends are X. What this means is that either a) resourcing needs to be adjusted, or b) processes, tools, and even automation may need to be introduced to take care of these emerging trends. Failure to do so will result in X’.” Doing so provides board members with both the detail and context they need to act strategically in the organisation’s best interest.

Draw on your team

If you’re struggling to translate technical information into the ‘business speak’ boards require, look to others on your team for assistance.

Generally speaking, CIOs shouldn’t be operating in isolation. Instead, there needs to be an ongoing dialogue amongst all members of the C-level leadership team to align on business priorities, as well as an understanding of how tools and technology support them in a secure manner.

Maintaining open channels of communication

Ultimately, communication between the CIO and board (or its cybersecurity committee) needs to be a two-way street.

“It really needs to be a partnership type of arrangement,” Kenny concludes. “If the board is not getting enough information or not getting the right type of information, then they have the absolute right to feedback down to the CIO. The CIO, by the same token also has the absolute right to question the board and to say, ‘Is this what you're looking for? Is this appropriate, is it pitched at the right level, and do you have enough information to make risk-aware decisions?’” 

Partners like CBS can also help facilitate cybersecurity communications through tools like Essential 8 assessments and the creation of custom dashboards that can surface the high-level information boards are looking for.

For more information—or for customised guidance based on your board’s unique needs—reach out to the expert team at CBS for a personalised consultation.

Similar Articles


What are the advantages of Microsoft Azure

Discover the advantages of Microsoft Azure: Scalability, security, cost-efficiency, and innovation. Learn how Azure enhances operations and drives digital transformation in New Zealand.

What is Security Automation?

Learn how automated security transforms cybersecurity, making it simpler and more efficient. Protect your business data with CBS New Zealand’s expert insights now!

What are the effective Azure cost optimisation strategies

Maximize Azure efficiency for your New Zealand organisation. Reduce costs, optimize resources, and align spending with business goals using our expert strategies and tools!

What are the benefits of penetration testing?

Gain confidence in your digital security with the benefits of penetration testing. Enhance cybersecurity, identify vulnerabilities, and fortify your defences with CBS New Zealand's expert insights now!

Cybersecurity Threat Detection: Proactive strategies

Stay ahead in cybersecurity with our 2024 guide on threat detection. Learn advanced technologies & response plans to protect your business against threats with CBS New Zealand.

Navigating Information Security Frameworks

Explore essential information security frameworks to safeguard your data. Protect your business data with CBS New Zealand's expert insights now!

Ultimate guide to internal penetration testing

This Internal Penetration Testing guide covers techniques, analysis, and best practices for identifying vulnerabilities & strengthening your cyber defense in New Zealand.

RMM Meaning and its significance in IT management

Evolving technology, key benefits, and its impact on efficiency and security. protect your business data with CBS New Zealand’s expert insights now!

SIEM tools for advanced cybersecurity management

Explore our list of SIEM tools to strengthen your cybersecurity strategy. Learn about their functionalities, integration capabilities, & future trends with CBS New Zealand's expert insights now!

The Threat Intelligence Lifecycle explained

Discover how to navigate the Threat Intelligence Lifecycle in 2024. Our guide covers phases, analysis, and best practices for cybersecurity decision-making in New Zealand.

What are the latest cyber threats and defense strategies?

Enhance cybersecurity, identify vulnerabilities, and fortify your defences with CBS New Zealand's expert insights now!

Understanding Blue Teams in cybersecurity

Explore Blue Teams' pivotal role in cybersecurity: their defense strategies, Red Team collaboration, and trends with CBS New Zealand's expert insights now!