menu close
  • Back

With board members increasingly being held liable for security breaches under APRA, their interest in cybersecurity is, understandably, growing.

As the CIO, you represent the conduit through which most board members receive insights into their organisations’ cyber resilience. Yet, despite the potential weight of this responsibility, there is a right way and a wrong way to report on cybersecurity and related topics to your board.

Understanding what board members need to hear from you to make risk-aware decisions can help you to more effectively protect your company.

The Essential Eight: Your role as an educator

Apart from their growing responsibility for cyberattacks and data breaches, many board members aren’t educated on cybersecurity—let alone on the implications of their actions (or inactions). Educating the board and the rest of the C-level suite on cybersecurity best practices is one of the key responsibilities of the CIO—and the Essential Eight (E8) framework represents a good place to start.

E8 is a series of eight cybersecurity mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to harden systems and make them less vulnerable to attack. Not only is the framework generally easy to understand, but it’s also easy to measure organisational compliance against using E8 assessments.

That said, while educating board members on the E8 framework increases their cybersecurity fluency, it’s important to note that—much like the ‘Pirate Code’ in the Pirates of the Caribbean movies—it’s really more of a set of guidelines than it is a true code. With the exception of government non-corporate entities, E8 compliance isn’t mandated for organisations, but still provides a useful measure of maturity and a good baseline for cybersecurity conversations.

CIO reporting: what not to do 

Now, before we cover what should be in your board report, let’s rule out a few items that should not be included.

For example, you can leave off excessive operational detail. While data points like the number of service desk calls your department resolved should be reported at an IT level, this information holds limited value for board members.

Similarly, you should try to avoid what Head of Governance and Compliance at Canon Business Services ANZ (CBS), Peter Kenny calls the firehose of vulnerabilities—that is, presenting board members with a list of every single risk factor you’ve identified.

“You're sitting there as a board, and you see this table of vulnerabilities. What does that mean to you as a board member? It means nothing; it's just white noise,” he explains. “How can you, as a board member, make some sort of informed decision on either the approach or accepting the risk and letting that vulnerability run? It is counterproductive in the extreme, and it actually poses a real risk to the enterprise going forward.”

Context is important as well. Kenny recalls an instance where he reviewed a CIO’s board report that included a table listing 15 vulnerabilities—eight of which had been remediated that month. “That’s good, but of the seven you haven’t remediated, how critical are they? That’s the type of insight that a CIO needs to assist the board in establishing,” he says.

IT Security Checklist

Transform Your Cyber Defense: Prioritised Actions for Staying Ahead of Threats.


Preparing a board report on cybersecurity

So what should you include instead? While there’s no simple formula for what should go into a board report on cybersecurity, there are a few guidelines you’ll want to keep in mind.

Think about who you’re reporting to

Are you reporting to the board directly, or are you reporting to a cybersecurity committee on the board? While having a cybersecurity committee—especially one linked to an audit committee—is ideal, knowing to whom you’re reporting should inform your understanding of their cybersecurity knowledge (and, consequently, what your report should include).

If a cybersecurity committee exists, they’ll likely take inputs from audits and the business, review these findings, and then present their insights in a high-level, risk-managed statement back to the board. Board members would then be empowered to assimilate the committee’s recommendations, make decisions, and then provide guidance regarding the actions that are in the best interest of their shareholders.

However, although cybersecurity committees are gaining momentum, they aren’t yet the norm. Where they don’t yet exist, your reporting will likely go directly to the board and should take their level of expertise into account.

Keep your report high level

Those sitting on a board—whether they’re part of a cybersecurity committee or not—really need to see high-level, key information such as trendings, costings, and risk statements in order to make informed decisions.

As an example, Kenny shares, “You might present something like, ‘Over time, the trends are X. What this means is that either a) resourcing needs to be adjusted, or b) processes, tools, and even automation may need to be introduced to take care of these emerging trends. Failure to do so will result in X’.” Doing so provides board members with both the detail and context they need to act strategically in the organisation’s best interest.

Draw on your team

If you’re struggling to translate technical information into the ‘business speak’ boards require, look to others on your team for assistance.

Generally speaking, CIOs shouldn’t be operating in isolation. Instead, there needs to be an ongoing dialogue amongst all members of the C-level leadership team to align on business priorities, as well as an understanding of how tools and technology support them in a secure manner.

Maintaining open channels of communication

Ultimately, communication between the CIO and board (or its cybersecurity committee) needs to be a two-way street.

“It really needs to be a partnership type of arrangement,” Kenny concludes. “If the board is not getting enough information or not getting the right type of information, then they have the absolute right to feedback down to the CIO. The CIO, by the same token also has the absolute right to question the board and to say, ‘Is this what you're looking for? Is this appropriate, is it pitched at the right level, and do you have enough information to make risk-aware decisions?’” 

Partners like CBS can also help facilitate cybersecurity communications through tools like Essential 8 assessments and the creation of custom dashboards that can surface the high-level information boards are looking for.

For more information—or for customised guidance based on your board’s unique needs—reach out to the expert team at CBS for a personalised consultation.

Similar Articles


Why is penetration testing crucial for your cybersecurity

Wondering why penetration testing is important? Learn the importance of penetration testing with CBS and secure your systems effectively.

Your guide to building a strong IT security strategy

Build a strong IT security plan to protect your digital assets. Discover expert advice and tips.

What is baiting in cyber security?

Learn about baiting in cyber security and how cybercriminals use deception to compromise data. Discover prevention strategies to safeguard against baiting.

Incident response: NIST guidelines

Discover NIST incident response guidelines for stronger cybersecurity. Enhance incident handling with a structured approach.

Outsourcing cyber security: A strategic approach to safety

Explore the advantages of outsourcing cybersecurity. Tailored solutions to protect your Australian business.

SASE vs SSE: Understanding the key differences

Explore differences between SASE and SSE in network security. Find the right approach for enhanced cybersecurity & network performance.

Choose the right cybersecurity assessment tools for your business

Learn about the responsibilities of assessing security risk, different assessment tools available, and key considerations for selecting one.

Ransomware action plan guide in 2024

Protect your business from costly ransomware attacks with this step-by-step guide that walks you through everything you need to know about ransomware.

Speed up your accounts payable by 80% using AP automation

AP automation is empowering companies to reduce processing time and manual effort by 80% or more, while eliminating manual errors.

Predicting the core focus of IT leaders over the next 3 years

IT leaders have faced unprecedented challenges in recent years. But what comes next? See predictions for the next 3 years from Canon Business Services.

What is the cost of a Hybrid Cloud computing model?

What is the cost of a hybrid cloud computing model? If you’re frustrated by the high costs associated with the hybrid cloud environment, we can help.