{"id":1091,"date":"2021-02-04T10:42:00","date_gmt":"2021-02-04T02:42:00","guid":{"rendered":"https:\/\/www.praxonomy.com\/blog\/?p=1091"},"modified":"2021-03-24T14:40:59","modified_gmt":"2021-03-24T06:40:59","slug":"how-to-create-cybersecurity-reports-for-boards","status":"publish","type":"post","link":"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/","title":{"rendered":"How to Create Cybersecurity Reports for Boards"},"content":{"rendered":"\n

Cybersecurity has become a top priority for many boards. As a result, cybersecurity reports have become increasingly important\u2014 and relevant \u2014 to them. They give the board a good understanding of the security posture of the organisation.<\/p>\n\n\n\n

Effective cybersecurity reporting requires that information be presented clearly and succinctly so that priorities can be identified, issues can be addressed, and decisions can be made in accordance with the organisation\u2019s strategic goals and risk appetite. <\/p>\n\n\n\n

One can appreciate this in theory, but it\u2019s much more difficult to execute: there are no hard and fast rules around this kind of reporting.<\/p>\n\n\n\n

There are challenges associated with designing cybersecurity reports for boards. We tackle two of them below.<\/p>\n\n\n\n

CHALLENGES WHEN DESIGNING CYBERSECURITY BOARD REPORTS<\/strong><\/h2>\n\n\n\n

1.) Cybersecurity reports and dashboards contain too much technical information. <\/strong><\/h3>\n\n\n\n

There is a tendency to do a deep-dive into technical specifics with the belief that this will be valuable for board understanding. But that\u2019s not always the case.<\/p>\n\n\n\n

Inundating the board with technical information (or the use of jargon) can lead to confusion or impatience. This may fail to give the board an accurate and insightful scan of what the organisation has to confront from a security perspective. <\/p>\n\n\n\n

A pragmatic approach would be to review the reports to see whether the board can get a picture of how secure the organisation is \u2014 without having to resort to supplemental research or consult with those who have technical expertise to get a comfortable understanding of what\u2019s being conveyed. <\/p>\n\n\n\n

2.) The identification of key performance indicators (KPIs) that are relevant to the board is not always a straightforward process.<\/strong><\/h3>\n\n\n\n

IT or security executives track many KPIs on a daily basis. But not all of these need to be presented to the board. KPIs that are suitable for sharing with the board are typically those that have an impact on the board\u2019s strategic agenda. This requires thoughtful consideration and discernment. It is important to rely on the big picture and not get lost in the weeds.<\/p>\n\n\n\n

STANDARD KPIs and CYBERSECURITY METRICS TO TRACK<\/strong><\/h2>\n\n\n\n

There is neither a definitive template nor a singular approach towards determining which metrics to include in a cybersecurity report. A large part of KPI reporting revolves around your organisation\u2019s needs, risk appetite and risk tolerance levels. It’s crucial to have a good grasp on these.<\/p>\n\n\n\n

While cybersecurity reporting does not employ a one-size-fits-all approach, some of the most used KPIs<\/a> shared with board of directors may include:<\/p>\n\n\n\n

\"Cybersecurity
Cybersecurity Metrics for Board Reporting<\/figcaption><\/figure><\/div>\n\n\n\n

QUESTIONS YOU NEED TO ADDRESS WHEN REPORTING ON CYBERSECURITY<\/strong><\/h2>\n\n\n\n

As highlighted in the informative article linked to above, there are also a number of questions that your report or presentation should answer:<\/p>\n\n\n\n

1. What is the organisation\u2019s cyber risk level?<\/strong><\/h3>\n\n\n\n

Consider your organisation\u2019s risk appetite and<\/em> risk tolerance.<\/p>\n\n\n\n

2. What are the organisation’s top risks?<\/strong><\/h3>\n\n\n\n

Determine where risk is concentrated and which risks require additional attention. Factor in their financial impact.<\/p>\n\n\n\n

3. How is the organisation\u2019s risk posture trending? Is risk increasing or decreasing?<\/strong><\/h3>\n\n\n\n

Compare your cybersecurity performance to the organisation\u2019s risk appetite statements.<\/p>\n\n\n\n

4. Is the organisation\u2019s level of cybersecurity spending appropriate?<\/strong><\/h3>\n\n\n\n

Use data to effectively show the ROI on cybersecurity investments.<\/p>\n\n\n\n

5. What is the cyber risk associated with new business prospects?<\/strong><\/h3>\n\n\n\n

There are two factors to consider in this area: 1.) the need to vet all prospects to evaluate the cybersecurity risk they pose to your organisation and 2.) informing the board of the processes you have in place for managing and monitoring this risk.<\/p>\n\n\n\n

CONCLUSION<\/strong><\/h2>\n\n\n\n

Management guru, Peter Drucker, once said: \u201cwhat gets measured, gets managed.\u201d This applies to cybersecurity metrics. <\/p>\n\n\n\n

But for the board to arrive at a solid understanding of the organisation\u2019s cybersecurity posture and manage it, information technology and security executives need to be cognisant of delivering data that\u2019s actionable, useful, and relevant. <\/p>\n\n\n\n

There\u2019s a need to edit and streamline information. \u201cThe more, the better\u201d does not always hold true in this matter.<\/p>\n","protected":false},"excerpt":{"rendered":"

Cybersecurity reporting for the board can be challenging. We discuss how to provide insightful cybersecurity metrics that the board can appreciate.<\/p>\n","protected":false},"author":2,"featured_media":1134,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[2],"tags":[],"yoast_head":"\nHow to Create Cybersecurity Reports for Boards - Praxonomy<\/title>\n<meta name=\"description\" content=\"Cybersecurity reporting can be challenging. We discuss how to design and create cybersecurity reports that the board can appreciate.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Create Cybersecurity Reports for Boards\" \/>\n<meta property=\"og:description\" content=\"Cybersecurity reporting can be challenging. We discuss how to design and create cybersecurity reports that the board can appreciate.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/\" \/>\n<meta property=\"og:site_name\" content=\"The Boardlogic Blog | News, Updates, Industry Insights and Best Practices.\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-04T02:42:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-03-24T06:40:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.praxonomy.com\/blog\/wp-content\/uploads\/2021\/01\/linkedin-how-to-create-cybersecurity-reports-for-boards.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2400\" \/>\n\t<meta property=\"og:image:height\" content=\"1254\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Carissa Duenas\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"How to Create Cybersecurity Reports for Boards\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.praxonomy.com\/blog\/wp-content\/uploads\/2021\/01\/linkedin-how-to-create-cybersecurity-reports-for-boards.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Carissa Duenas\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/\",\"url\":\"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/\",\"name\":\"How to Create Cybersecurity Reports for Boards - Praxonomy\",\"isPartOf\":{\"@id\":\"https:\/\/www.praxonomy.com\/blog\/#website\"},\"datePublished\":\"2021-02-04T02:42:00+00:00\",\"dateModified\":\"2021-03-24T06:40:59+00:00\",\"author\":{\"@id\":\"https:\/\/www.praxonomy.com\/blog\/#\/schema\/person\/c7f1e6afbb97d79f23850d7938b6d748\"},\"description\":\"Cybersecurity reporting can be challenging. We discuss how to design and create cybersecurity reports that the board can appreciate.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.praxonomy.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Create Cybersecurity Reports for Boards\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.praxonomy.com\/blog\/#website\",\"url\":\"https:\/\/www.praxonomy.com\/blog\/\",\"name\":\"The Boardlogic Blog | News, Updates, Industry Insights and Best Practices.\",\"description\":\"The official blog for news, updates, industry insights and best practices from Boardlogic by Formidium \u2014 board meeting management software\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.praxonomy.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.praxonomy.com\/blog\/#\/schema\/person\/c7f1e6afbb97d79f23850d7938b6d748\",\"name\":\"Carissa Duenas\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.praxonomy.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.praxonomy.com\/blog\/wp-content\/uploads\/2020\/12\/carissa-dueanas-150x150.jpg\",\"contentUrl\":\"https:\/\/www.praxonomy.com\/blog\/wp-content\/uploads\/2020\/12\/carissa-dueanas-150x150.jpg\",\"caption\":\"Carissa Duenas\"},\"description\":\"Carissa is a marketing consultant and content contributor for Praxonomy. She began her management consulting career at Accenture and has since worked in a consultant capacity for leading organisations in the technology sector and communications space. She is a contributor to The Globe and Mail, Canada\u2019s leading national daily.\",\"url\":\"https:\/\/www.praxonomy.com\/blog\/author\/carissa\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Create Cybersecurity Reports for Boards - Praxonomy","description":"Cybersecurity reporting can be challenging. We discuss how to design and create cybersecurity reports that the board can appreciate.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/","og_locale":"en_GB","og_type":"article","og_title":"How to Create Cybersecurity Reports for Boards","og_description":"Cybersecurity reporting can be challenging. We discuss how to design and create cybersecurity reports that the board can appreciate.","og_url":"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/","og_site_name":"The Boardlogic Blog | News, Updates, Industry Insights and Best Practices.","article_published_time":"2021-02-04T02:42:00+00:00","article_modified_time":"2021-03-24T06:40:59+00:00","og_image":[{"width":2400,"height":1254,"url":"https:\/\/www.praxonomy.com\/blog\/wp-content\/uploads\/2021\/01\/linkedin-how-to-create-cybersecurity-reports-for-boards.jpg","type":"image\/jpeg"}],"author":"Carissa Duenas","twitter_card":"summary_large_image","twitter_title":"How to Create Cybersecurity Reports for Boards","twitter_image":"https:\/\/www.praxonomy.com\/blog\/wp-content\/uploads\/2021\/01\/linkedin-how-to-create-cybersecurity-reports-for-boards.jpg","twitter_misc":{"Written by":"Carissa Duenas","Estimated reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/","url":"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/","name":"How to Create Cybersecurity Reports for Boards - Praxonomy","isPartOf":{"@id":"https:\/\/www.praxonomy.com\/blog\/#website"},"datePublished":"2021-02-04T02:42:00+00:00","dateModified":"2021-03-24T06:40:59+00:00","author":{"@id":"https:\/\/www.praxonomy.com\/blog\/#\/schema\/person\/c7f1e6afbb97d79f23850d7938b6d748"},"description":"Cybersecurity reporting can be challenging. We discuss how to design and create cybersecurity reports that the board can appreciate.","breadcrumb":{"@id":"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.praxonomy.com\/blog\/how-to-create-cybersecurity-reports-for-boards\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.praxonomy.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How to Create Cybersecurity Reports for Boards"}]},{"@type":"WebSite","@id":"https:\/\/www.praxonomy.com\/blog\/#website","url":"https:\/\/www.praxonomy.com\/blog\/","name":"The Boardlogic Blog | News, Updates, Industry Insights and Best Practices.","description":"The official blog for news, updates, industry insights and best practices from Boardlogic by Formidium \u2014 board meeting management software","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.praxonomy.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/www.praxonomy.com\/blog\/#\/schema\/person\/c7f1e6afbb97d79f23850d7938b6d748","name":"Carissa Duenas","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.praxonomy.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.praxonomy.com\/blog\/wp-content\/uploads\/2020\/12\/carissa-dueanas-150x150.jpg","contentUrl":"https:\/\/www.praxonomy.com\/blog\/wp-content\/uploads\/2020\/12\/carissa-dueanas-150x150.jpg","caption":"Carissa Duenas"},"description":"Carissa is a marketing consultant and content contributor for Praxonomy. She began her management consulting career at Accenture and has since worked in a consultant capacity for leading organisations in the technology sector and communications space. She is a contributor to The Globe and Mail, Canada\u2019s leading national daily.","url":"https:\/\/www.praxonomy.com\/blog\/author\/carissa\/"}]}},"modified_by":"Carissa Duenas","_links":{"self":[{"href":"https:\/\/www.praxonomy.com\/blog\/wp-json\/wp\/v2\/posts\/1091"}],"collection":[{"href":"https:\/\/www.praxonomy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.praxonomy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.praxonomy.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.praxonomy.com\/blog\/wp-json\/wp\/v2\/comments?post=1091"}],"version-history":[{"count":29,"href":"https:\/\/www.praxonomy.com\/blog\/wp-json\/wp\/v2\/posts\/1091\/revisions"}],"predecessor-version":[{"id":1142,"href":"https:\/\/www.praxonomy.com\/blog\/wp-json\/wp\/v2\/posts\/1091\/revisions\/1142"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.praxonomy.com\/blog\/wp-json\/wp\/v2\/media\/1134"}],"wp:attachment":[{"href":"https:\/\/www.praxonomy.com\/blog\/wp-json\/wp\/v2\/media?parent=1091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.praxonomy.com\/blog\/wp-json\/wp\/v2\/categories?post=1091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.praxonomy.com\/blog\/wp-json\/wp\/v2\/tags?post=1091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}