Two years ago, I wrote about the importance of board reporting and how to do it meaningfully. The fundamentals I outlined then—establishing metrics consensus, providing context with historical benchmarks, and avoiding technical jargon—remain essential. But the landscape has fundamentally shifted, and our approach to board communication must evolve with it.
The boards I work with today are asking different questions than they were asking in 2023. They want to know about AI governance. They're concerned about third-party AI risk. They're asking about SEC cyber disclosure compliance. And they expect real-time visibility, not quarterly snapshots.
The New Board Expectations
Several forces have converged to reshape what boards expect from their technology and security leaders:
AI Governance: Every board is grappling with AI. They want to understand how the organization is using AI, what guardrails are in place, and how we're managing the associated risks. This isn't just about ChatGPT—it's about AI embedded in vendor tools, AI in hiring systems, AI making credit decisions. Boards need visibility into the entire AI footprint.
SEC Cyber Disclosure Rules: The SEC's cybersecurity disclosure requirements, which took effect in December 2023, have fundamentally changed the game. Material incidents must now be disclosed within four business days. Annual reports must describe cybersecurity risk management, strategy, and governance. Boards are now personally accountable in ways they weren't before.
Regulatory Scrutiny: Beyond the SEC, regulators across industries are tightening requirements. Financial services firms face intensified examination of their cyber programs. Healthcare organizations navigate evolving HIPAA enforcement. Privacy regulations continue to proliferate globally. Boards need confidence that we're ahead of regulatory expectations, not scrambling to catch up.
Cyber Insurance: The cyber insurance market has matured significantly. Insurers are asking detailed questions about security controls, and they're adjusting premiums based on the answers. Boards want to understand how our security posture affects insurability and costs.
Modern Metrics: Beyond Traditional KPIs
The metrics I recommended two years ago—attack trends, vulnerability remediation, phishing results, incident management data—are still relevant. But they're no longer sufficient. Today's board reporting should also include:
AI Governance Metrics: Track the number of AI systems in use across the organization, categorized by risk level. Report on AI vendor assessments completed. Show progress on AI policy development and training. Monitor for model bias and performance drift in critical systems.
Third-Party AI Risk: How many of your vendors are now using AI in ways that affect your data? Most organizations don't know, and boards are starting to ask. Develop a methodology for assessing third-party AI risk and report on your coverage.
Disclosure Readiness: Can you determine materiality of an incident within the SEC's timeframe? Do you have the processes in place to draft and file disclosures quickly? Track your incident response times with an eye toward disclosure requirements.
Regulatory Compliance Posture: Go beyond binary compliance. Show the board where you exceed requirements, where you meet them, and where gaps exist with remediation timelines.
Storytelling Over Data Dumps
I've seen too many board presentations that are essentially data dumps—slide after slide of charts and numbers with no narrative thread. This approach fails for several reasons.
Board members are busy. They're processing information from every function of the organization. If your presentation requires them to interpret data and draw conclusions, you've already lost them.
Instead, lead with the story. What is the security narrative this quarter? Are we improving? Are we facing new challenges? Is there a specific initiative that needs board support?
The data should support your narrative, not replace it. I use what I call the "headline test"—if a journalist were writing about my security program based on this presentation, what would the headline be? That headline should be clear to the board within the first minute.
Real-Time Dashboards vs. Periodic Reports
The periodic report isn't dead, but it's no longer sufficient on its own. Boards increasingly expect access to real-time or near-real-time visibility into security posture.
This doesn't mean building a complex dashboard that board members check daily—they won't. But it does mean having the capability to provide current-state information when asked. When a major vulnerability hits the news, the board shouldn't have to wait for the next quarterly meeting to understand your exposure.
I recommend a layered approach:
Always Available: A simple executive dashboard showing current risk posture, updated at least weekly. Access credentials for each board member. Most won't use it regularly, but having it available builds confidence.
Event-Driven Updates: When significant events occur—major vulnerabilities, industry breaches, regulatory changes—send a brief update within 24-48 hours explaining relevance to your organization and your response.
Periodic Deep Dives: Continue your quarterly or monthly comprehensive presentations, but position them as strategic discussions rather than status updates. The status is already available; the board meeting is for dialogue about direction.
Building Board Cyber Literacy
One of the most valuable things a technology leader can do is invest in the board's cyber literacy. This isn't about turning board members into security professionals—it's about giving them enough context to ask informed questions and make sound decisions.
Consider annual or semi-annual education sessions, separate from regular board meetings. Cover topics like current threat landscape, regulatory changes, and emerging technologies. Bring in external perspectives when helpful—a threat intelligence briefing from a respected firm can be eye-opening.
When board members understand the fundamentals, they become better partners. They ask more relevant questions. They provide more useful guidance. And they're better equipped to represent the organization's security posture to shareholders and other stakeholders.
The SEC Disclosure Impact
I want to spend a moment specifically on the SEC cyber disclosure rules, because they've had a profound impact on board dynamics.
Previously, cyber incidents were largely handled as operational matters. The board might be informed, but disclosure was at management's discretion. Now, material incidents require public disclosure within four business days. The bar for what constitutes "material" is being defined through practice and enforcement.
This has several implications for board reporting:
Incident Classification: You need a clear, pre-agreed methodology for assessing incident materiality. The board should understand and endorse this methodology before an incident occurs.
Decision Speed: When an incident happens, you may need board input on disclosure within hours, not days. Establish communication protocols and decision trees in advance.
Annual Report Content: The required annual disclosure about cyber risk management, strategy, and governance means your board presentation content may become public. Write accordingly.
The Path Forward
Effective board reporting in 2025 and beyond requires more than updates to your slide deck. It requires a fundamental shift in how technology leaders think about their relationship with the board.
Move from periodic reporting to continuous communication. Move from data presentation to narrative storytelling. Move from reactive updates to proactive education. Move from operational status to strategic partnership.
The boards that will navigate the AI era, regulatory complexity, and evolving threat landscape successfully are those with technology leaders who communicate effectively, build trust through transparency, and treat the board as informed partners in managing risk.
The stakes are too high, and the landscape is changing too quickly, to approach board communication as an administrative task. It's a strategic imperative—one that deserves our best thinking and continuous improvement.
