What happens when the cyber paper goes to the board

There is a particular agenda item that appears on most board calendars at least once a quarter. It usually has a title like "Cyber Security Update" or "Information Security Quarterly Report." It is delivered by the CISO, sometimes joined by the CIO. It is allocated thirty minutes. It almost always overruns by five.

I want to describe what typically happens in those thirty-five minutes, and then describe what happens when it goes well. The difference between the two is not technical knowledge. It is something else.

What usually happens

The CISO opens by referring the board to a paper that was issued in the board pack the week before. The paper is twelve pages long and was read carefully by perhaps two of the directors and skimmed by the others on the train that morning.

The opening slide is a heat map. Eighteen risk categories, rated on impact and likelihood, colour-coded green, amber and red. Most are amber. Two are red. The CISO talks the board through the reds. Both have action plans in train. Both are tracking to closure. The amber categories receive a paragraph each. The greens are not discussed.

The next slide is a maturity assessment. Sixteen control families against a recognised framework. Last quarter the organisation was at 3.2 on a five-point scale. This quarter it is at 3.3. The trajectory is positive. The target is 3.7 by year-end.

The next slide shows incident statistics. Phishing attempts blocked: 14,000. Malware detected and quarantined: 200. Major incidents: zero. The board nods at zero.

The final slide is a forward look. Three programmes are highlighted. A SIEM upgrade. A zero-trust pilot. A new vendor assessment process. The CISO asks for any questions.

The Chair invites questions. There is a pause. One director asks whether the SIEM project is on budget. The CISO confirms it is. Another director asks how the organisation compares with peers. The CISO says benchmarking is difficult but they believe the organisation is broadly in line. A third director, slightly more confidently, asks: "Is there anything keeping you awake at night?" The CISO smiles and says there is always plenty to be getting on with, but the team is well-resourced and the controls are working.

The Chair thanks the CISO. The CISO leaves the meeting. The board moves to the next agenda item, which is usually finance or strategy.

If you ask any board member, in private, what they understood from those thirty-five minutes, they will tell you they understood that things appear to be in hand, that the CISO seems competent, and that they will be told if anything changes. That is approximately what they were meant to understand. It is also approximately useless as an act of governance.

Why this happens

It happens because the format of the conversation has been designed, over many years, to make CISOs feel safe presenting and boards feel safe listening. Heat maps are designed to be glanceable. Maturity scores are designed to be improvable. Incident statistics are designed to be large enough to sound serious and well-controlled enough to sound reassuring.

None of this is the CISO's fault. They have learned, often the hard way, that boards punish complexity, reward visible progress, and respond badly to being told that something they thought was under control is in fact not under control. So the CISO presents what the board has implicitly asked them to present. A comfortable account of activity, with a few problems being responsibly worked on, and an absence of alarming surprises.

The board, in turn, has learned that the CISO is the person who handles this. They listen, they nod at the right moments, they ask the questions that signal engagement without requiring substantive technical comprehension, and they return to the topic they actually came to discuss, which is strategy or finance or executive succession.

Both sides perform their roles competently. The organisation's actual cyber risk posture is largely unaffected by the conversation.

What it looks like when it goes well

A board that has done the work, and by that I mean leadership work rather than technical work, runs this conversation completely differently.

The first thing that changes is the board pack. Before the meeting, the Chair or the audit committee chair will have asked the CISO not for a maturity scorecard but for a short briefing on three things. The two or three risks the CISO is most worried about right now. The decisions the CISO needs from the board in the next six months. The things the CISO is finding it difficult to say in the boardroom. This is not a standard CISO format. It is a leadership format, adapted for a specialist function.

When the CISO presents, the board does not start with questions about the SIEM project. They start with the second of those three items: what decisions do you need from us? Because that is the question the board exists to answer.

The CISO might say: we need to decide whether we are willing to take certain customer-facing services offline in the event of a ransomware attack, rather than pay. We have a draft position but it is the board's to set. We need to decide whether we are prepared to invest in twenty-four-hour security operations cover, or whether we accept the residual risk of nights and weekends being thinner. We need to decide whether we are prepared to terminate a particular long-standing supplier whose security posture we have lost confidence in, knowing the operational disruption that would cause.

These are not technical decisions. They are commercial, ethical and strategic decisions, brought to the board by someone with the relevant expertise to inform them. This is what good governance of cyber looks like.

The conversation then turns to the third item: what are you finding it difficult to say? This is the bit that requires the most board confidence to ask, because the honest answer is sometimes uncomfortable. The CISO might say: I am not confident our supplier-of-suppliers exposure is properly understood. I am concerned that the executive team is not taking the AI rollout seriously enough from a security perspective. I am worried that two of my key people are at risk of leaving, and we have no succession plan.

These are not items for a heat map. They are leadership signals, and they are exactly the things a board needs to hear and act on.

What changes in the room

When a board engages this way, three things change in the room.

The CISO behaves differently. They stop performing safety and start raising things they actually need raised. They feel professionally seen rather than tolerated. Over time, the quality of what they bring to the board improves significantly, because they are being asked better questions.

The board behaves differently. The director who used to ask "is the SIEM project on budget" now asks "what are the two or three things that would most increase our resilience that we are not currently doing because of cost or political difficulty?" The director who used to ask about peer benchmarking now asks "if this happened to us next month, what would we wish we had done six months ago?" These are leadership questions, and they are the right ones.

The Chair behaves differently. They stop treating the cyber update as an item to get through and start treating it as one of the small number of conversations on the agenda where genuinely consequential decisions are being shaped. They allocate it forty-five minutes instead of thirty. They schedule the cyber paper for the same meetings as the strategic agenda items, not at the end of the day after legal and finance.

The hardest part

The hardest part of making this shift is not learning new questions. It is unlearning the comfortable rhythm that boards and CISOs have collectively built up over years. The heat map, the maturity score, the polite questions, the smile, the nod. Both sides know how to do it. Neither side is genuinely served by it. But it is the path of least resistance, and most boards keep taking it.

It takes a deliberate decision, usually from the Chair, to change the format. To say to the CISO: I do not want the standard pack next quarter. I want the three risks you are most worried about, the decisions you need from us, and the things you are finding it difficult to say. And to say to the board: when the CISO presents, we are going to start with the second of those, not the first.

That single change in the format of the conversation will do more for the organisation's cyber posture than another five-point improvement in the maturity score will ever do.

Boards do not need to become technical to do this. They need to lead. The leadership is the work. The technical is what the CISO is for.

David Goodacre OBE FCIIS is the founder of AmEliz, an independent advisory practice supporting boards and executive teams on cyber, AI and resilience.

Next
Next

Cyber and AI are leadership issues, not technical ones