The SEC Cybersecurity Disclosure Rules, effective December 2023, require public companies to describe board oversight of cybersecurity risks. This means boards are now asking for cybersecurity risk reporting that they previously delegated entirely to management. For CISOs, this creates both an opportunity and a challenge: the opportunity to elevate the security program's visibility and funding, and the challenge of translating technical metrics into governance language that board members, who are typically not security professionals, can understand and act on. Phishing simulation results are one of the most tangible, measurable security metrics available, making them an ideal foundation for board-level reporting.
What Do Board Members Actually Want to See?
Board members process information differently than security teams. They want a risk posture summary (are we more or less secure than last quarter), trend direction rather than point-in-time snapshots, financial context connecting security metrics to business impact, peer benchmarking showing how the organization compares to its industry, and clear recommendations they can approve or reject. They do not want granular campaign data, technical details about attack vectors, or individual employee performance. Keep the presentation to three to five slides maximum. If a board member needs more detail, they will ask for it. The most effective board presentations answer a single question: “Should I be worried, and what are we doing about it?”
What Is the Recommended Board Reporting Template?
Slide 1: Executive Risk Summary. Lead with the organizational human risk score on a simple red-yellow-green scale. Show the 12-month trend. State the estimated annual loss expectancy from phishing risk in dollar terms. Compare to the previous quarter. One sentence: “Our human-layer risk score improved from 62 to 47 this quarter, reducing estimated annual phishing exposure from $2.1M to $1.4M.” Slide 2: Key Performance Indicators. Three metrics only: click rate trend (with industry benchmark overlay), report rate trend (indicating security culture strength), and program coverage (percentage of employees actively tested and trained). Each metric should show a 12-month trend line, current state versus target, and a brief interpretation. Slide 3: Risk Hotspots and Actions. Identify the top two or three areas of concern (specific departments, roles, or trends) and the specific actions being taken to address them. Include timelines and expected outcomes. Slide 4: Investment and ROI. Program cost, estimated risk reduction in dollar terms, and the resulting ROI percentage. Compare to alternative risk mitigation investments. Slide 5: Recommendations. One to two specific recommendations for board approval: budget for program expansion, policy changes, or new capability investments.
How Often Should You Report to the Board?
Quarterly board reporting is the standard cadence for cybersecurity metrics in most governance frameworks. However, provide interim updates when significant events occur: a major phishing incident, a material change in risk posture, or a significant program milestone. Avoid over-reporting, which dilutes the signal and can create the impression that the security team is uncertain or seeking excessive oversight. Between board meetings, provide monthly reports to the executive committee or risk committee that include more operational detail. These monthly reports serve as the detailed evidence base that supports the quarterly board summary. For guidance on building the operational dashboard that feeds into board reporting, see our guide on building a security awareness metrics dashboard.