Bridging the gap between CISOs and executives: 4 steps to transform cybersecurity board reporting

Boards are more engaged and invested in cybersecurity than ever before. Andy Piper, CISO of Investment and Markets at Barclays, gives us four steps to tackle board reporting effectively in 2025.

Sarah Garmston
read
Last updated: 15th May 2025

The challenges CISO face

Reporting to the board is a must in a CISO’s toolbelt. It's no longer optional, and cybersecurity now has a permanent spot on the boardroom agenda.

Why is this? Well, it’s no longer just an IT issue. Cybersecurity is seen as a risk to the business that the board must actively oversee. The board is held accountable for global outages, high-profile regulatory fines, and the ever-increasing cyber threats we all face.

During our cybersecurity leadership webinar, we discussed with Andy Piper the changing shift in board priorities he has seen over the years.

A couple of years ago, talking to the board would have been, ‘This guy from security is turning up. This is the chance to switch off for a minute. Now they're pulling me into the board to ask me questions because they've seen other organizations getting ransomware. They've heard about supply chain attacks, and they want to know, ‘Are we safe from them? What do we do about them?

Andy Piper
CISO of Investment and Market divisions, Barclays

To ensure that cybersecurity reporting is both meaningful and actionable, Andy follows four key principles:

1.    Contextualize key risks
2.    Move beyond data to decisions
3.    Align reporting with business priorities
4.    Position cybersecurity as a business enabler

Step 1: Contextualize key risks

Raw data without context can be misleading or meaningless to a board. Reports should not simply present key risk indicators (KRIs); they must explain their significance and implications.

If it's an informational report, it's got to inform... If it's seeking to just give a whole bunch of data about key risk indicators, then let's contextualize those. There’s a target line—if we're above the target, is that good? Could we be better? Should we be better? If we're below the target, how are we going to get that back up to where it should be?

Andy Piper
CISO of Investment and Market divisions, Barclays

The key to this first step is translating for your intended audience. Andy emphasizes that security leaders must go beyond presenting technical data and instead focus on delivering meaningful business insights. This means framing cybersecurity risks in terms of business outcomes.

Andy says. “There’s no point in me going into one of the boards talking about the intricacies of a new TTP. They don’t care about that. They pay me to care about that. What they want to know is: How is this going to impact their business?”.

Step 2: Move beyond data to decisions

Boards need more than just a snapshot of security posture. They need to understand what actions should be taken. Andy stresses the importance of answering not just so what? but also so what next?

The board must understand why they should care about a particular risk, or the initiative the CISO wants to achieve. But that isn’t enough.

“Boards don’t just need to know that a risk exists; they need to understand what’s being done about it and why it matters.”

If the board truly understand the compound risk of that threat, it empowers the CISO to go ahead and deal with it proactively.

Step 3:Align reporting with business priorities

Security must be seen as a business enabler rather than an operational roadblock. Andy highlights that overly restrictive controls can hinder business operations, which is why CISOs must engage in ongoing dialogue with business leaders.

Everything that we do is a balance. Is the control that we're putting in commensurate with the risk? Do we feel like we are putting in a control that's adding too much friction to someone's day? Is it not adding enough? But all of that is done in conjunction with a discussion with the actual bankers of the business who are going to live this.

Andy Piper
CISO of Investment and Market divisions, Barclays

It's important to strike this balance. Working with the board to ensure business as usual, while not opening your organization up to any extreme risk is the challenge at hand.

Step 4: Position cybersecurity as a business enabler

A key objective of board reporting is to shift the perception of cybersecurity from a cost center to a value driver. Andy warns that CISOs who fail to communicate security’s business benefits risk being sidelined.

If you can't explain what you need to do in the context of business benefits, then you'll be seen as a cost and an overhead rather than a business enabler. That's the switch you really want to get into if you're going to be successful with getting the buy-in of the board.

Andy Piper
CISO of Investment and Market divisions, Barclays

Security teams should strive to be seen as enablers and partners to help the business do the things they want to do in the most secure way. This is opposed to being the house of ‘no’ that just stops people from doing things. CISOs need to position security as a collaborator, not a blocker.

Building trust through reporting

Effective board reporting is not just about presenting data—it’s about building trust, driving informed decision-making, and securing executive buy-in.

If you follow these four principles, this allows the CISO to build trust within their organization. Cybersecurity should be approachable for all, and by breaking down those barriers, CISOs will engage more with the board and achieve more success.

“Reporting is huge,” says Andy Piper. “It really is. It's one of the more valuable things that we can spend our time doing because it's how we generate the relationship with our stakeholders and how we explain things in words that mean something to them.”

If you want to hear more insights from Andy, you can watch the full webinar from our video and webinars catalog. Sign up to our Brighttalk page for upcoming webinars.