How do you report your security culture progress to the board?

With more organizations implementing security culture initiatives to manage human-factor risks, Praxis Security Labs has observed heightened board engagement in security culture matters. This executive involvement proves vital to human-centric security program success.

The Leadership Influence Factor

People follow other people. When staff observe management indifference toward security protocols, they become less likely to participate and may actively undermine initiatives. Engaged board members and security-champion leadership are essential for program success.

The Communication Challenge

CISOs face a significant hurdle: board reports must be concise, business-focused, and free from technical jargon. Reporting on human factors requires particular care, as executives may perceive culture initiatives as nebulous rather than business-critical.

Crafting Relevant Reports

Rather than focusing on technical minutiae, effective communication targets executive priorities. Consider these questions:

• Available presentation time?
• Reporting frequency and usage patterns?
• Strategic alignment with business objectives?
• Board member expertise areas and interests?
• Emerging board priorities?

Six-Step Reporting Framework

1. Draft comprehensive information without restraint
2. Map each data point to specific board member interests
3. Verify core information inclusion; replace less critical content as needed
4. Ensure content fits allocated time; move excess to written reports
5. Present with ample question opportunities; prepare relevant prompts
6. Request board input on security strategy and direction

This approach requires effort but ensures relevance, enabling boards to access necessary information while avoiding irrelevant technical details.