A non-executive director on the audit committee of a UK-listed industrial group asked me, over coffee earlier this year, what she was supposed to do with the cyber risk briefings she received. The slides were dense. The acronyms were unexplained. The narrative shifted between threat trends, vendor product names, and technical incident counts. By the end of each briefing, she said, she had no clearer sense of whether the company’s cyber risk position had improved, deteriorated, or stayed flat.
Her question was not unusual. It was, in fact, the question that almost every non-technical director asks privately about their cyber risk reporting.
The CISO who delivers a five-minute board brief that genuinely answers this question — did our cyber risk position get better or worse this quarter, and why — has done something rare and valuable. Most don’t, because they have been trained to brief technically. The fix is structural, not stylistic.
What boards actually need
A board’s role on cyber risk is not to manage the risk. It is to assure itself that the risk is being managed competently and proportionately, by people who understand it, with resources adequate to the threat. Everything in a board briefing should serve that assurance function.
That implies four questions, in this order:
- Has our risk position changed since we last spoke? Up, down, or flat — and why.
- What are we doing about the most material risks? The two or three risks that, if they materialised, would meaningfully damage the business.
- Where do we still have material exposure that we haven’t yet addressed? Honestly stated.
- What do you, the board, need to decide or know? The clear ask.
Almost every effective board briefing maps to these four questions. Almost every ineffective briefing answers different questions instead — usually “what activity has the security team been doing”, which is a management report, not a board paper.
The single chart that anchors the brief
The most effective opener I have seen in board briefings is a single page with a small number of named risks — typically five to eight — each rated on a simple scale, with the rating from the previous quarter shown alongside. Risks moving up are marked. Risks moving down are marked. Risks staying flat are marked.
The chart is not the briefing. It is the anchor that lets the rest of the briefing make sense.
The trap to avoid is the heat-map. Multi-axis red-amber-green grids look authoritative but obscure rather than clarify, because nobody on the board can tell from a green-amber transition whether the underlying risk has actually changed or whether the rating methodology was tweaked. A simple ordinal scale, applied consistently quarter on quarter, is more honest and more useful.
The risks themselves should sound like the business
Boards do not think in MITRE ATT&CK categories. They think in business consequences. A risk that reads “credential-based intrusion via Active Directory” will not connect. The same risk reframed as “an attacker gaining access to internal systems by stealing or guessing employee passwords, with potential impact on customer data and operations” connects immediately.
The translation is not condescension. It is the actual job. The board’s responsibility is to direct attention and resources toward the risks that matter most to the business. They cannot do that if the risk language is technical.
A useful test: read your top five named risks aloud to a friend who works in a different industry. If they cannot summarise back to you why each risk would matter to your business, the language has not done its job.
Honest exposure is more credible than a polished story
The most credible briefing I have seen this year was delivered by a CISO who, halfway through, paused and said: “We have one residual exposure that I am not satisfied with, and I want to flag it now rather than have you find out later.” She then named it, explained why it had not yet been remediated, what it would cost to fix, and what compensating controls were in place in the interim.
The board’s response was supportive. The board’s response in subsequent quarters, when she reported similar honesty, was funding.
The pattern that builds board confidence is not the absence of exposure. It is the presence of a CISO who knows, can articulate, and is actively managing the exposure that exists. Boards have correctly internalised that any organisation reporting “no significant cyber exposure” is either lying or unaware.
What the brief should never include
A board briefing should not include vendor product names, certification logos, MITRE technique IDs, or technical incident counts disconnected from impact. It should not include screenshots of dashboards. It should not include “headline statistics” from industry reports — boards have stopped finding “the average breach costs $4.45 million” useful, because the number is industry-aggregated and they cannot connect it to their own organisation.
It should include — clearly, briefly, and in plain English — what changed, what you are doing about it, what is still exposed, and what you need from them.
Five minutes is plenty.
Mellivor advises boards and executive committees on cyber risk reporting and governance, including risk taxonomies, KRI design, and TLPT-informed assurance. To discuss your board reporting framework, contact our advisory team.
