CISO board reporting toolkit
April 2024
👉 This document is “view” only. To customize the CISO board report, you can either download it as an offline file or make a copy of it in your Google Drive.
Index
Your template for reporting to the board on a monthly, quarterly, and yearly basis.
CISO board reporting toolkit 1
Cybersecurity annual planning & strategy meeting 1
Review the organization’s goals & security alignment 2
Review the focus areas from last year 2
Current benchmarking against competitors 4
Benchmarking risk against competitors 4
Example: Vulnerability management 8
Cybersecurity training update 8
Risks caused by our deficiencies 9
Risks to achieving business objectives 9
The potential impact of risks not being addressed 9
Keep the board happy with Hack The Box 10
CISO board reporting toolkit
Cybersecurity annual planning & strategy meeting
A CISO’s annual report should have three main priorities:
- Demonstrate how cybersecurity strategy aligns with the business goals and needs.
- Showcase the strategic value of cybersecurity investments, by comparing progress with previous years.
- Clearly outline the threat environment by highlighting the most pressing risks to the organization.
💡This template can also be adapted to monthly/quarterly board updates. Focusing on any progress made, new threats, risks, and updates.
Review the organization’s goals & security alignment
💡The key purpose of this section is to showcase security’s alignment with business goals. When in sync with high-impact objectives, security is more likely to be prioritized with budget and resources.
Business objective | Security alignment |
Move 60% of assets to the cloud | Developing a cloud-centric security strategy, upskilling in cloud security, and streamlining cloud onboarding |
Create an app for customers to place orders through | Work with developers to create a secure development lifecycle methodology, identify potential threats, and defend the attack surface |
Increase computing power and storage capacity | Vet and apply a cautious approach to outsourcing any tools or services to third-party providers |
Review the focus areas from last year
💡Demonstrate how security supported business goals from the previous year, and what the outcome was.
Business objective | Security alignment | Results |
Increase marketing-generated sales by 10% by implementing an inbound marketing strategy | Ensure all customer data is encrypted and stored on a secure server | We didn’t suffer any compromisation of customer data |
Annual cybersecurity KPIs
💡Your annual security KPIs should align with the business objectives previously identified. They are a trackable way of proving your support of the business.
KPI: Resolve X% of security incidents in X amount of time.
How: Review our incident response process and improve based on past reports.
Why: Minimize the impact of security incidents on company operations and reputation.
KPI: Improve patching cadence by X%.
How: Implement a patch management policy.
Why: Mitigate our risk of exposure to CVEs that threat actors can find weaknesses in.
Metrics comparison update
💡Metrics are numbers that cybersecurity teams should track on a daily, weekly, and monthly basis. These are key indicators of an organization’s overall security posture.
Metric | 2023 performance | 2024 performance | Industry benchmark |
Number of malware incidents blocked | |||
% of intrusions blocked by firewalls | |||
% of malicious emails filtered | |||
% of servers using multifactor authentication (MFA) | |||
% of security solutions deployed in the cloud or as SaaS | |||
The number of false positives and false negatives from security monitoring tools | |||
Mean-time-to-detect (MTTD) | |||
Mean-time-to-resolve (MTTR) | |||
Mean-time-to-contain (MTTC) | |||
The average length of system downtime during an incident | |||
Patching cadence |
It’s important to speak the board’s language, so the above metrics can be summarized into some key quantitative metrics that can be compared year-on-year:
- Are we compliant?
- Do we have any outstanding high-risk findings from our last audit or assessment?
- What percentage of the NIST/NICE/MITRE ATT&CK framework are we implementing?
- Number of intrusions detected
- Speed of detecting, investigating, and remediating threats
- How much we’ve spent on security
- The number of compromised systems
Current benchmarking against competitors
💡It’s easy to tell the board that your security strategy is doing well. But compared to what? If competitors perform the same with half the budget spent, the board may wonder what’s happening.
Security posture
- How many major incidents are they facing a year?
Security teams
- How large is their security team?
- What roles are they hiring for?
- Are they using upskilling platforms to keep teams sharp?
Benchmarking risk against competitors
Risk | Our likelihood | Likelihood (industry average) | Our financial impact | Financial impact (industry average) |
Phishing | 40% | 55% | $40,000 | $60,000 |
Compliance and regulations
💡Cover existing compliance activities and frameworks, alongside any updates to regulations.
Framework | % implemented | Action plan |
NIST | 50% | Identify high-priority gaps by conducting a risk assessment and remediating |
NICE | ||
MITRE ATT&CK |
🎯 How HTB can help: We map our Machines to NIST/NICE and MITRE ATT&CK frameworks, helping you to upskill employees in relevant areas of compliance.
New/existing regulation | What this means | What we’re doing |
|
| |
NIS2 Directive |
|
|
Changes to risk profile
💡Analyze your top risks, how they’ve changed, and what impact this will have on the business.
Risk | YoY trend | Mitigations | Risk management action plan |
Phishing | (Report on what has been done in the past year to address the risk. If new, address details on how this risk has been discovered) | (State the action plan for addressing the identified risk) | |
Poor patch management | |||
Insider threats | |||
Ransomware & malware |
Risk | Notable incidents | Changes made |
Phishing | (Review the top incidents faced by the company. Include details of how the incidents occurred and what was done to address the incident and recover) | (Review key changes that have been made to operations and processes, what is expected of the changes, and why these changes were made) |
Poor patch management | ||
Ransomware & malware |
Evolving threat environment
💡Highlight the current state of the threat environment in your industry and how this impacts the organization.
Macro threats | Industry threats | Our learnings |
|
|
|
Strategy update
💡This is where you can showcase your annual cybersecurity strategy, taking into account business objectives and the KPIs you’ve set.
Strategy | In production for Q1 | Will deploy in Q2 | Will deploy in Q3 |
Resolve X% of security incidents in X amount of time | (Key initiatives that will be deployed for each strategy throughout the year) |
By investing in our strategy, we’ll reduce our potential losses by X%, saving $X.
Operations update
💡An annual board report provides the opportunity to discuss security operations and showcase its impact on the business, justifying the extra investment.
Example: Vulnerability management
- Annual risk reduction: $
- Total risk reduction: $
- Annual project cost: $
- Total project cost: $
- Total ROI: %
Cybersecurity training update
💡Report on any security training initiatives and the impact they have on wider cybersecurity metrics.
Training | Metrics | Cost | Risk reduction |
Staff phishing email training | 80% of staff have had phishing awareness training | $500 | Reduced risk of phishing attack by 30% (saving $X) |
Capture The Flag (CTF) event | 70% completion rate in forensics | $1,500 | 20% improvement in completion rate YoY |
MITRE ATT&CK and NIST/NICE framework upskilling | 60% of security staff completed upskilling in NIST/NICE frameworks | $5,000 | 90% implementation of NIST/NICE frameworks, averaging $X saved |
Increased time spent upskilling security staff | 70% of upskilling program completed/certificates earned | $12,000 | 50% of decreased response time and improved recovery post-incident |
🎯 How HTB can help: Extensive reporting and skill progression benchmarking with HTB Enterprise Platform tracks engagement, content completed, tools utilized, techniques implemented, and difficulty.
Budget requirements
💡Now’s the time to tie everything together, and present the most important areas for investment, to reduce risk and support business objectives.
Risks caused by our deficiencies
Risk Describe the risk | Cause Outline what’s causing the risk | Result Describe what happens as a result | Impact Highlight the negative impact on the business | Budget Justify your budget request |
Poor patch management |
|
|
|
|
Risks to achieving business objectives
Business objective Outline the main business objectives | Security risk Highlight the security risk of achieving this objective | Security investment Request budget to support the objective & reduce risk |
Move 60% of assets to the cloud |
|
|
The potential impact of risks not being addressed
💡As a final call to action for the board, it’s important to hit home just how much of an impact these risks can have on the business by providing statistics and examples.
Case study:
A security breach led to a hotel chain losing 5.2 million records of guests due to threat actors abusing a third-party application.
This data breach presumably affected nearly 339 million hotel guests.
Since the company failed to comply with General Data Protection Regulation (GDPR) requirements, it had to pay a $22.6 million fine.
What caused it?
- Phishing emails gained access to the system.
- Poor data management with personal information being unencrypted.
- The lack of cybersecurity presence on the board led to oversight and a minimal security budget.
- Poor monitoring and incident response led to it taking two years for the hotel to be made aware of the breach.
How extra budget can prevent this from happening to us?
- Deploy endpoint protection solutions to add devices to protect the networks.
- Invest in our monitoring and incident response team, with real-time incident training.
Keep the board happy with Hack The Box
Looking for a performance platform that makes it easy to report to the board?
With HTB Enterprise Platform, you’ll get the following:
- Risk mitigation: Timely content offers training on the latest CVEs in real-world environments, reducing risk and exposure to these vulnerabilities.
- Employee retention: Cybersecurity teams that are offered upskilling opportunities are far more engaged and less likely to burn out. This keeps your high-performing talent on board.
- Performance benchmarking: Conduct CTFs and gap analysis to identify weaknesses in your security posture, and create a performance program based on your company goals.
- Workforce development: Align organizational goals to your cybersecurity KPIs with content categorization and report your success metrics to the board.
- Tailored training to industry standards: HTB content is mapped to MITRE ATT&CK and NIST NICE frameworks so you can assess your cyber preparedness in different areas. This demonstrates how training applies to real-life job needs.
- Boost organizational awareness: Human error is one of the leading causes of security breaches. HTB can assess cyber readiness and performance company-wide with effective practices like tabletop exercises (TTXs) or practical assessments designed for security staff and non-technical teams.
Improve your security posture, develop your cybersecurity team, align CISOs with the board, and retain employees in an industry that’s desperate for more talent.
Explore HTB Enterprise Platform
CISO board reporting toolkit