Cybersecurity has long been more than just an IT issue – it is a strategic challenge for companies. Yet many IT security reports fail to provide the right information to top management. Either they are packed with technical details that no board member can understand, or they are so superficial that no real decisions can be made. The key question is: what does the board need to know to fulfil its oversight role and ensure the cyber resilience of the organisation – and what can it safely leave to IT?
Karl Neumann, SVP Group IT at Constantia Flexibles and CIOmover, is also dealing with this question. His approach: IT security reports for management must provide clarity and focus on the essentials – without unnecessary technical ballast.
The Right Level of Information for Management
A common problem is choosing the wrong level of information. Keri Pearlson, Principal Research Scientist at MIT Sloan, gets to the point: “While it’s easiest for cyber executives to report on technology metrics or organizational metrics, such as phishing exercise results, this information does not help the Board with their job of ensuring cyber resilience. It’s just the wrong level of information.”
This means that IT security reports should not be overloaded with details about individual measures or technical metrics. The board does not need to receive in-depth analyses of firewall logs or virus scanner detection rates. Instead, management needs an overarching view of the maturity of IT security, the current threats and the company’s strategic progress in this area.
Making Cyber Security Maturity and Risks Visible
Neumann emphasizes that an effective IT security report must present the company’s cybersecurity maturity in a way that top management can understand. But which solution to choose?
Models such as the Harvard Balanced Scorecard for Cyber Resilience (BSCR), which provide a structured and visually appealing assessment of the security level, are ideal for this. At the same time, it is important not only to document the status quo, but also to show which risks exist for the company. A regular assessment of the threat situation, ideally based on established frameworks such as NIST CSF 2.0, helps the management board to better classify the urgency of certain measures.
Less Technology, More Clarity: The Role of KPIs
In addition to qualitative assessments, good reporting needs measurable metrics. However, these should be presented in a way that non-technical audiences can understand. Clear KPIs help the board of directors quickly understand how the company’s IT security is performing.
Important metrics could include a cybersecurity maturity score based on recognized standards such as NIST or ISO 27001. The average time to detect and remediate a security incident is also an important indicator of the organization’s ability to respond. Other relevant KPIs may include the coverage of key security measures, such as multi-factor authentication or endpoint detection and response, and the status of regulatory compliance.
However, KPIs must not become an end in themselves. They must be embedded in a strategic context and enable the board to make informed decisions – not just a string of numbers.
IT Security Reports Must Be Real Management Tools
For the board to actively manage the company’s cyber resilience, it needs clear, relevant information – not detailed technical analyses. Good reporting relies on a strategic presentation of the security situation, supplemented by clear risk analyses and concise KPIs. This is the only way for management to fulfill its responsibility and drive forward targeted measures to improve cyber resilience. Neumann advocates a pragmatic approach: no bullshit, no technology overload – instead, relevant information in a language that management understands.
