">
Under attack? Call 1300 112 313
Client PortalInsightsContact
Home / Insights / Guide
Guide · 10 min

How to report cybersecurity to a board that doesn't speak security

Board members need to make risk decisions. They can't do that if every security update is a list of vulnerability counts and firewall logs. Here's how to bridge the gap.

What boards actually need

Board members are not security experts, and they shouldn't need to be. What they need is enough information to make informed risk decisions. That means: What's our current exposure? What are we doing about it? Is it working? What should we be worried about? What decisions do you need from us?

If your board report doesn't answer those five questions in the first page, the remaining twenty pages won't matter.

Structure that works

A good board security report has four sections:

  • Executive summary — one paragraph. Overall posture, key changes since last report, decisions needed.
  • Risk register update — the top 5 risks, their current status, and what's being done. Use a simple red/amber/green rating but be honest about what red means.
  • Programme progress — what's been completed, what's in progress, what's blocked. Tie this to the roadmap they approved.
  • Decisions required — specific asks. Budget approval, risk acceptance, policy sign-off. Don't bury these in a slide deck.

Metrics that matter

Most security metrics reported to boards are meaningless. "We blocked 3.2 million threats this quarter" sounds impressive but tells the board nothing useful about their risk position.

Better metrics:

  • Mean time to detect and respond — are we getting faster?
  • Overdue critical patches — how many, trending up or down?
  • MFA coverage — percentage of accounts with MFA enforced
  • Privileged access count — number of admin accounts, trending direction
  • Incident count and severity — actual security events, not blocked scans
  • Compliance gaps — number of open findings from last audit or review

Pick 4-6 metrics. Report them consistently. Show trends, not just snapshots.

Risk language, not tech language

Don't say "we have a critical CVE in our edge infrastructure." Say "there's a known vulnerability in our internet-facing systems that could allow an attacker to access our network. We're patching it this week — the risk is elevated until that's complete."

Every technical finding should be translatable to: what could happen, how likely is it, and what are we doing about it. If you can't translate it, it probably shouldn't be in the board report.

Frequency and format

Quarterly is the minimum. Monthly is better if you're going through a significant uplift or have recently had an incident. Keep it to 2-4 pages or 6-8 slides maximum. If the board wants to go deeper on a topic, schedule a separate deep-dive.

Send the report in advance. Don't read slides to the board — use the meeting time for questions, decisions and context that isn't in the document.

Common mistakes

  • Too technical — vulnerability counts, log volumes and tool names mean nothing to most board members
  • No decisions asked for — if you're not asking for something (budget, risk acceptance, direction), the report is just information, not governance
  • No trend data — a single snapshot tells you nothing. Show whether things are improving or getting worse
  • Burying bad news — if there's a significant risk, say so clearly. Boards respect honesty; they resent surprises
  • Too long — a 30-slide deck guarantees nobody reads it. Four pages with an appendix is enough
Need help with board reporting?

We help security leaders communicate risk clearly.

Tenodex can build your board reporting framework, create templates and coach your team on effective risk communication.

Book a Briefing