The Cybersecurity Governance Handshake between the Board and Management
At the heart of effective cybersecurity governance lies the quality of interaction between the Board and executive management. The ‘handshake’ - when cybersecurity is formally presented to the Board - is a pivotal moment. It not only shapes the Board’s understanding of cyber risk but also influences how management prioritizes and allocates resources in response.
Therefore, the intended audience includes Board members, executives, and security professionals—stakeholders who share a common interest in aligning governance, risk, and operational insight on cybersecurity.
Report preview
Cybersecurity remains one of the most critical risks faced by organisations in the 21st century. This report provides a structured, practical guide for enhancing Cybersecurity Board Reporting, drawn from in-depth interviews, collected data, director insights, and a review of sanitised Board reports. The objective was clear: to strengthen reporting practices and enable more meaningful, informed dialogue between Boards and executive teams. Ultimately, this work is intended to support Board members in fulfilling their duty of care with greater confidence and clarity in the face of evolving cyber risk.
Chapter 3
Chapter 3 focuses on Cybersecurity Board-level Governance and highlights the importance of effective governance practices. The chapter is structured into three core sections.
Cybersecurity in the Board: This section discusses how cybersecurity is addressed at the Board level. It reveals that 70% of Boards discuss cybersecurity during Board meetings, with quarterly discussions being the most common. The duration of these discussions varies, with 15 minutes being the most common. CIOs and CISOs are the most likely presenters at the Board, with both involved in approximately half of the organisations surveyed.
Graph 1
Cybersecurity Discussed at the Full Board
Cybersecurity in Board Committees: This section explores the role of committees (e.g., Audit, Risk, Technology) in supporting cybersecurity oversight. It highlights that 83% of respondents confirmed that cybersecurity is discussed within the Audit and/or Risk Committee. Quarterly committee meetings are the most common format for cybersecurity oversight, with discussions typically lasting between 30 minutes.
Who is the most likely person presenting at the Board Committees?
Additional Board-level Governance Aspects: This section examines structural, procedural, and cultural aspects that contribute to effective cybersecurity governance. It includes insights on Board organisation and dynamics, Board responsibility, Board experience and education, use of external advisors and Board decision-making. Key findings include that 69% of Boards report full member engagement, and 31% of Boards lack cybersecurity expertise. Furthermore, Directors rate the statement 'I have the appropriate information to assess the Company's Cyber Risk' with an average of 6.5 out of 10.
Graph 2
I Have the Appropriate Information to Assess Company's Cyber Risk so I Can Take Informed Decisions
The chapter concludes with practical recommendations for Boards aiming to strengthen their Board-level governance of cybersecurity, such as making cybersecurity a standing agenda item, aligning frequency and depth with risk exposure, and ensuring Board members understand their responsibilities regarding cybersecurity.
Chapter 4
Chapter 4 focuses on the content of Cybersecurity Board Reports. It emphasizes the importance of providing Directors with clear and comprehensive information, so that Directors can fulfil their oversight roles. The executive cybersecurity report is the main source of cybersecurity information for Boards, highlighting that 61% of respondents receive dedicated Cybersecurity Board Reports.
What is the level of detail of these cybersecurity Board Reports?
Based on the work performed, and the information received, common areas for effective cybersecurity reporting are identified:
Risk: Encompasses all aspects of cyber risk relevant to the business. It includes risk scenarios, critical functions, and risk quantification.
Cyber Governance: Relates to the systems, structures, and capabilities in place to manage those risks within the organisation. This includes frameworks, standards, budget, and audit results.
Cybersecurity Strategy: Ensures the Board has visibility of the organisation’s strategic approach to cybersecurity and resilience. It covers the overarching strategy, roadmap, risk appetite, and strategic initiatives.
Status: Provides the Board with a view of the current level of cyber capability and performance. This includes maturity assessments, KPIs/KRIs, benchmarks, incidents, and compliance. Finally, this chapter includes insights from the review of 37 sanitised Cybersecurity Board Reports, highlighting significant diversity in reporting styles, content, and focus. It emphasizes the need for a structured reporting framework to enhance clarity and consistency. The chapter concludes with practical recommendations for enhancing Cybersecurity Board Reporting as 34% of Directors did not assess their current Cybersecurity Board Reporting as ‘Solid’ or ‘Excellent’.
Chapter 5
Chapter 5 introduces the Cybersecurity Board Reporting Framework that aims to support Directors in making well-informed and prudent decisions by providing comprehensive and actionable information on cybersecurity risks. The chapter is divided into several sections:
Factors Influencing Cybersecurity Board Reporting: This section identifies key factors that influence the design and delivery of Cybersecurity Board Reporting, such as risk level, size and complexity and several others.
Criteria for Effective Reporting: The section outlines several criteria that define the quality and effectiveness of Cybersecurity Board Reporting, including coverage, veracity, explanatory power and several others.
Board Governance Proposals: This section addresses foundational questions for establishing sound governance for Cybersecurity Board Reporting, such as where cybersecurity is discussed, how often, how long, who presents the report, and what the scope of reporting is.
Cybersecurity Board Reporting Content Proposals: The section introduces six key content categories for Cybersecurity Board Reporting: context, risk, cyber governance, strategy, status, and outlook. Each category is detailed with examples and explanations.
What content should be integrated in the Cybersecurity Board Reporting
Different Report Types: The section discusses various types of cybersecurity reports and their appropriate content, emphasizing the need for tailored reporting based on the specific needs of the Board.
Possible Reporting Calendar: The section provides examples of structured reporting calendars, reflecting different configurations for quarterly and biennial cybersecurity discussions at the Committee and Board levels.
The chapter concludes with practical guidance on how the Cybersecurity Board Reporting Framework can be used to support a meaningful handshake between the Board and management, ensuring intentional and fit-for-purpose information exchange.
Graph 3
Cybersecurity Board Reporting Framework
In addition, the report includes an overview of the project participants as well as some final reflections.
The power of clear and business focussed reporting
Enhancing Cybersecurity Board Reporting practices to facilitate a meaningful dialogue between Boards and executives, thereby helping Board members to be better equipped to fulfil their duty of care.