While cybersecurity reporting to boards of directors is now commonplace new data from IANS, Artico Search, and The CAP Group finds that just 25 percent of CISOs say board discussions on cyber risk extend beyond 30 minutes.
The study finds finds that 95 percent of CISOs deliver regular updates to their boards, signaling a mature reporting cadence. However, the depth of board engagement varies, mainly limited to ‘listening’ and ‘receiving,’ without digging deeper into threats and business impacts. As an example, while 82 percent of board directors consider CISOs’ reporting on regulatory trends to be satisfactory or excellent, only 47 percent of directors feel that way about CISOs’ ability to articulate the impact of evolving threats.
“Cybersecurity reporting to boards has matured structurally, with time allocated to CISOs becoming much more commonplace, but gaps still remain,” says Steve Martano, IANS Faculty and partner in Artico Search’s cyber practice. “The best security presentations drive holistic discussions on cyber risk and business risk. These discussions are driven by a CISO who forms a concise data-driven narrative and fosters discussion and brainstorming around risk tolerance, risk strategy, and cyber/tech risk ROI.”
From the board viewpoint nearly half or more also indicate that reporting on the impact of evolving threats (53 percent) and AI-driven risk (47 percent) needs improvement, signaling demand for more forward-looking insight. Only 30 percent of boards describe their relationship with the CISO as strong and collaborative.
“What we’re seeing is that while boards are consistently informed, many are still working to translate cyber reporting into strategic decision-making,” says Nick Kakolowski, senior director CISO research at IANS. “Directors want clearer insight into what’s coming next, particularly as AI reshapes both the threat landscape and enterprise risk.”
The full report is available from the IANS site.
Image credit: zurijeta/depositphotos.com
