We were honored to have Rinki Sethi, VP & CISO of BILL and Onyxia Advisor, join our CEO and founder, Sivan Tehila for a masterclass on an increasingly hot topic for CISOs: Cybersecurity Board Reporting.

During the masterclass, Rinki walked the audience through a sample board report template and provided unique insights, best practices, and real-world examples to elevate cybersecurity board presentations.

Watch On-Demand

Here are just a few of the top tips and takeaways from the masterclass conversation.

Cybersecurity Board Reporting is an Art, Not a Science

When it comes to cybersecurity board reporting, there isn't a one-size-fits-all approach. Unlike established functions like CFO or CMO presentations, cybersecurity reporting is a relatively new practice with less standardized structures.

CISO roles are also evolving, and many practitioners haven't had formal training on boardroom communication. Additionally, board members have varying levels of cybersecurity knowledge, requiring tailored presentations.

These factors all contribute to the nuanced and dynamic nature of cybersecurity board reporting. Watch Rinki share more of her thoughts on the art of board reporting here:

Tailor Your Report to Your Audience

Consider what your board members already know about cybersecurity and what they are most interested in learning. During the masterclass, Rinki emphasized the importance of understanding your audience before crafting a board report. Key steps include:

One-on-one conversations: Discussing board members' concerns and what they're hearing about cybersecurity helps tailor the report's content.
Level setting: Gauge the board's overall cybersecurity knowledge to determine the appropriate level of detail in the report.
Agenda setting: Collaborate with the board to establish a clear agenda for cybersecurity reporting throughout the year.

By taking these steps, CISOs can ensure their reports are relevant and informative for the board.

Focus on the Story Your Program Data Tells

Use storytelling to make your report more engaging and memorable. Presenting the data in a narrative format makes it easier to convey your security team's efforts and the impact of their work. This can include highlighting successful security awareness campaigns, sharing anecdotes about incident response, or discussing future security initiatives.

Key performance indicators (KPIs) like vulnerability management metrics and incident response times can be presented, but it's essential to provide context and explanations. For instance, if there's a spike in vulnerabilities, it's important to highlight the reason, such as a recent security assessment or a change in the threat landscape.

Collecting the data doesn’t have to be tedious. A platform like Onyxia can automate the data extraction and presentation, giving security leaders more time to focus on the storytelling around the data.

Don’t Shy Away from Transparency

As Rinki shared in the masterclass: “I remember back in the day, if an incident didn't make it to executive attention, you're like, “I did a good job as a security practitioner.” Those days have changed so much that we want to bring transparency, not just internally in the organization, but to some degree to the board level too, where it makes sense.”

High-profile cyberattacks have a significant impact on the global security landscape, making them a valuable tool for sparking important conversations within security teams and with boards of directors. By shedding light on notable breaches and incidents, explaining how your organization and industry were impacted, and sharing your security team’s preparedness for these kinds of events, you can increase confidence in the program you are driving. This can ultimately lead to elevated awareness among your organization’s key stakeholders, increased investment in future security measures, and a stronger alignment between the security team and the business.

Click below to watch the full webinar on-demand.

Watch On-Demand