Cyber reporting travels further
Security and risk functions produce the picture of cyber risk that boards, auditors and regulators rely on, and that picture travels further than it used to. It feeds committee packs, resilience attestations and, increasingly, declarations made in the annual report delivered to shareholders.
The boards receiving it are under growing scrutiny, and it has turned personal. They now declare the effectiveness of their material controls in their own name, named senior managers are expected to evidence the reasonable steps they took, and boards themselves are more fluent in cyber and asking sharper questions. This pressure does not stay in the boardroom and inevitably arrives at the function that produced the report.
Most boards have never converted their cyber risk appetite into tolerances that reporting can be measured against. Without them, the cyber risk function is left to infer what the board needs to see, and a picture built on inference is hard to defend, however carefully it was made.