Feel free to browse our content in the following sections:​

A unique international study on cybersecurity reporting to boards of directors

The increasing cyber threats make proper reporting on cybersecurity to boards of directors increasingly important. A new international report, a collaboration between the Centre for Corporate Governance in St. Gallen, Switzerland and the Centre for Cybersecurity Belgium, provides directors with a framework to better fulfil their role in cybersecurity governance. "It's crucial to create a warm handshake between board and management," says Chris Verdonck, initiator of the project.

Cyber threats on the rise

"The threat of cybercrime is increasing significantly. Cyber activism, espionage, and sabotage are also becoming more real due to the geopolitical situation," warns Miguel De Bruycker, Director-General of the Centre for Cybersecurity Belgium (CCB).

Belgian companies are certainly at risk. "Cybercrime doesn't respect national borders or sectors," according to De Bruycker. "Anyone who can be hacked and where ransom can be demanded is in the crosshairs. Our essential services in particular are definitely targets."

A unique study

The report is the result of a unique international study surveying 67 large companies in Belgium, Switzerland, and Australia. "Of those 67 companies, 63% were publicly listed, with an average market capitalisation approaching 20 billion," explains Chris Verdonck, senior advisor of the project.

The researchers spoke exclusively with board members and analysed dozens of so-called 'sanitised' cybersecurity reports from which confidential information had been removed.

The handshake as a crucial moment

"Before we began the project, I had various conversations with board members about their lack of comfort with this topic during board meetings," Verdonck explains. "Nevertheless that handshake between board and management is a crucial element."

According to Verdonck, this handshake takes place during the board meeting, when cybersecurity is on the agenda and a cybersecurity report is on the table. "You can have a warm or a cold handshake, and you need both parties for a warm handshake. If one of them offers a limp hand, you can't speak of a warm handshake."

Work to be done

The study reveals that only 65% of interviewees indicated they had the right information to make properly informed decisions. "And I think that's actually quite optimistic," notes De Bruycker.

"We notice that reporting is done in many different ways," De Bruycker continues. "Some forms of reporting are clearer than others, but there's no real consistency. It sometimes veers into highly technical territory – in our opinion, sometimes too technical for that level – and often misses the link with business risks. That's ultimately the goal: for experts in cybersecurity to be able to translate that information into a language that's spoken at board level."

"As a board member, you face a clear problem," Verdonck states. "Based on what we’ve seen in the reports, the director gets more of an incomplete picture than a complete one. And that complete picture is of course essential for a board of directors to properly fulfil its duties."

Three key points from the framework

Without going into too much detail, Verdonck provides three key points from the framework proposed in the report:

1. Know your environment: "Understand who you are and what you do. What is your organisation's risk level? How long have you been engaged with cybersecurity?"

2. Organise your board: "Think about how you discuss and organise cybersecurity within the board of directors."

3. Adapt your reporting: "The reporting should align with where your organisation stands. A beginning organisation needs different reporting than an organisation that has been involved with cybersecurity for years."

Boards often don't know what to ask

"Boards often don't know what questions to ask in this domain," emphasises De Bruycker. "A framework like this can absolutely help with that, so board members feel more at ease, more comfortable with the topic, and also dare to ask questions."

At that level, no one likes to admit they have little knowledge of a subject. "A framework like this provides structure and contributes to the confidence that we are properly addressing cybersecurity."

The report entitled "Cyber Security Board Reporting - The Board's Perspective" will be available mid-April on this website. You can already pre-register now.

The 2025 Cybersecurity Board Reporting project (www.cybersecurityboardreporting.com.au) identified the widespread use of maturity assessments to help Boards and Executives understand the organisation’s cybersecurity posture. The NIST Cybersecurity Framework (CSF), developed by the US National Institute of Standards and Technology, was found to be the most commonly adopted framework. It is supported by extensive guidance and tools that assist those conducting such assessments.

Maturity assessments provide a useful basis for organisations to benchmark their capabilities at a granular level against peers. They are also frequently used to determine target maturity levels and form part of broader cybersecurity strategies. For many organisations, therefore, maturity assessments have become a core component of the cybersecurity information presented to Executives and Boards.

However, our research also revealed a common shortcoming: many reports, including maturity assessments, give limited almost as they provided no visibility into how much reliance can be placed on the results. Directors often indicated that they derived comfort when reports were produced by third parties—yet even then, the level of validation can vary significantly.

Having worked on both the consulting side (delivering such reports) and the organisational side (consuming them), we observed clear limitations on the degree of reliance possible. Understanding why this is the case is essential.

Example: Assessing Patch Management Maturity

Consider the area of patching, which can be complex and full of exceptions—whether due to operational constraints or product limitations. Delayed patching remains a frequent source of cybersecurity breaches.

A maturity assessment of patch management may be performed in several different ways:

1. Basic (Desktop) Assessment:
   Conducted quickly in days through structured interviews or questionnaires with key stakeholders. It typically does not include detailed evidence gathering or verification of responses. A NIST maturity score is then assigned based solely on these discussions.
2. Evidence-Based Desktop Assessment:
   More comprehensive, often spanning several weeks. It includes collecting and reviewing supporting evidence such as patch logs or exception registers. A NIST maturity score is derived from both the discussions and the documentation reviewed.
3. Validated (Testing-Based) Assessment:
   The most rigorous and costly form. It involves technical testing to verify patch status, identify inconsistencies, or uncover unapproved exceptions. Although time-consuming, this approach provides the highest level of assurance.

These three approaches, while all “maturity assessments,” can produce markedly different results. Hence, it is critical that reports clearly describe the scope, methodology, and extent of validation undertaken. Unfortunately, most reports we reviewed lacked this essential context.

Why This Matters

‍Unlike financial reporting, which benefits from centuries of refinement and well-established audit standards, cybersecurity risk practices are still maturing. Financial statements accompanied by an audit report communicate an understood level of assurance and rigour. No equivalent standards yet exist for cybersecurity reporting.

‍
Our review of available frameworks and guidance across multiple jurisdictions revealed only limited direction concerning cybersecurity reporting to Boards.

To address this gap, Boards and Executives must consciously evaluate the limitations of cybersecurity reports they receive. When the degree of verification is unclear, further inquiry is warranted.

Questions Boards Should Ask

To establish the reliability of any cybersecurity maturity assessment or related other reports on which Directors are relying, Boards and Executives should seek clarity on:

1. What was the scope of the review?
2. Who performed the work?
3. What level of testing or validation was undertaken?
4. What level of assurance was provided with the report?

These questions can help determine whether additional information or assurance is needed. Ultimately, Executives and Boards require sufficient context to judge how much reliance they can place on a maturity assessment, or report—particularly when it informs strategic direction or future investment in cybersecurity capability.