<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo


4 Compliance And Risk Reports Every CISO Needs



In his predictions for 2019 Deloitte CEO of risk and financial advisory, Chuck Saia, harped on the necessity for compliance and risk professionals to involve business leaders - 

"To engage senior leaders, the CIO and CISO should develop business-focused cyber risk reporting, rather than overly technical reports with a focus on business impacts and risks," 

Chuck Saia, Deloitte CEO of Risk and Financial Advisory

Saia noted that today only 30% of CEO's and board members were highly involved in their organizations' security programs. However, by 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually, which is an increase from today's 40%. (Gartner). 

With cybersecurity rapidly becoming a board-level issue, many CISOs are faced with the same level of inquiry and scrutiny of a CFO or CEO. Cyber is no longer an abstract concept that can be assessed with the question ‘are we secure’ and a brief ‘yes’.  According to Gartner, successful CISOs are leaders, communicators, and managers and all CISO’s need to be prepared to convey the progress their organization is making to ensure the enterprise stays secure as it continues to grow.

Shifting the conversation from high/low risk to good/bad risk

The issue many CISOs face in the boardroom is that their mentality is often at odds with the CEO. Where the CEO wants to pursue rapid growth and expand the company, the CISO will see the risks inherent to that strategy and seek out ways to minimize them. In short - a CEO seeks to maximize, and a CISO seeks to minimize. Although, this dynamic is predicated on antiquated technologies that created silos within the security organization.

Effective CEO’s are trained to take the right business risks to drive growth. In order to get buy-in from their CEO, a CISO must reframe the inherent risks of new initiatives from a high/low model to a good/bad risk model. This shift requires a CISO to align their activities with business goals - instead of assessing risk through the lens of likelihood and impact, the good/bad risk framework looks at through the lens of value and appetite.


71% of non-IT executives said that concerns over cybersecurity are impeding innovation in their organizations - Gartner

Don’t be seen as an impediment to business progress - by aligning cybersecurity activities with business goals and taking a good/bad risk approach, you can effectively communicate the impact of new initiatives and help non-IT executives understand the inherent risks.

The 4 Reports To Effectively Communicate With Key Stakeholders

As enterprise stakeholders take an increasing interest and concern about the security posture, the CISO needs to be able to convey their activities and success as effectively as a CFO can with a balance sheet and statement of cash flows. There are four recommended reports necessary to help you align your activities as a CISO with the goals and objectives of the enterprise: Executive Risk Report, Trend Report, GDPR Report, Global Report.

Executive Risk Report

An Executive Risk Report delivers a high-level overview of the company’s risk. There are three critical breakdowns within the report: risk by threat type, risk by business impact, and the data protection triad (confidentiality, integrity, availability).



Within the risk by threat type and risk by business impact, each bar chart reflects the volume of residual risk, remaining risk, and mitigated risk.


The data protection triad reflects the number of controls implemented to protect each dimension. With emerging integrated risk management (IRM) systems like the CyberStrong platform, CISO’s are able to see each dimension in order of priority based on the number of controls employed for each. Within the risk by threat type and risk by business impact, each bar chart reflects the volume of residual risk, remaining risk, and mitigated risk. 


A CyberStrong Executive Risk Report also delivers a risk report breakdown for control families. As CyberStrong is built on the NIST frameworks, this chart is delivered through the lens of NIST’s 800-30 breaking controls into detect, identify, protect, recover, respond. This chart also reflects the amounts of residual risk, remaining risk, and mitigated risk.


Finally, a CyberStrong Executive Risk report includes a more granular breakdown of the risk posture by control family. Each family is assigned a CyberStrong score which impacts the risk scoring itself. Unlike the charts above, this table breaks the categories of risk down further: inherent risk (total risk by family), residual risk (risk that remains after some implementation of controls), opportunity (the amount of risk that remains to be mitigated). This table can help you convey the critical aspects of your security program to other executives and see need-based priorities.


Trend Report

The CyberStrong Trend Report uses CyberSaint’s patented technology to deliver a CyberStrong score - a rollup of all assessments in the environment and the number of active assessments ongoing. Further, the Trend Report shows the number of assessments and controls updated and number of users logged in in the last week. This report will help you display the ongoing progress your organization is making to keep the enterprise secure and is a perfect jumping off point to discuss more granular activities with non-technical stakeholders.


The CyberStrong Trend Report also includes ore granular tables to show the strongest and weakest points in each active assessment. As with the granular table in the Executive Risk Report, these tables use the CyberStrong score combined with a breakdown of inherent risk, residual risk, remediate risk, and opportunity. These breakdowns will help by revealing weak points in specific control families and help you and fellow senior leadership prioritize remediation.


The CyberStrong Trend Report also delivers overviews of progress on assessments and updates made to controls in one month, three month, six month, twelve month time periods. The Trend Report is your month over month and year over year progress statement and helps you relay the operations of your organization to the Board and CEO.

GDPR Report

General Data Protection Regulation (GDPR) has been a Board level concern since its enactment in May 2018. As seen with Facebook, the first major infringement, in September 2018 GDPR is a critical concern from both a security and business standpoint. The CyberStrong GDPR Report uses CyberSaint’s list of controls and actions to ensure compliance and increase visibility into GDPR posture on an ongoing basis.

CyberSaint_4reportseveryCISOneeds_6Reflected in a radar graph comparing the enterprise's posture against the GDPR standard, CISO’s and stakeholders get fast insight into their compliance.

The radar graph is followed by a granular table as seen in the Trend and Executive Risk Reports. This table delivers a deeper view of each control family, matched with a CyberStrong score, and breakdowns of inherent risk, residual risk, remediated risk, and opportunity. 

The CyberStrong GDPR Report also delivers completed and comprehensive breakdowns of each control necessary for GDPR compliance. 



GDPR marked the first legislative correlation of cybersecurity and business operations - and was a very public call to align business and security strategies. The CyberStrong GDPR Report allows CISO’s to easily deliver an in-depth review of their enterprise’s GDPR posture to key stakeholders across the organization.

Overview Report

The fourth critical report necessary to reflect a CISO’s alignment with business strategy is a complete Overview Summary. A CyberStrong Overview Summary provides a complete report into an enterprise’s entire assessment environment

Highlighted throughout the overview is the CyberStrong score (using CyberStrong’s risk model) -  the first being a roll-up score of all active assessments ongoing. The following table delivers a brief overview of each ongoing assessments, their progress to date, the CyberStrong score, owner and when it was last updated. For CISO’s delivering information of ongoing progress to the CEO and stakeholders, this table is critical.


Similar to the Executive Risk Report, the Overview Summary also delivers bar chart breakdowns of risk report for business impact, risk report for threat type and data protection priorities for the data protection triad.


CyberSaint_4reportseveryCISOneeds_10The Overview Summary also delivers a CyberStrong score, a framework description, and radar graph for each assessment. The radar graph compares the current status of the enterprise posture against the target score of the assessment. Further, the Summary delivers a risk report for control families and data protection priorities for each assessment as well as individual control details.

The most comprehensive report necessary for CISO’s, the Overview Summary gives stakeholders a deep view of the security posture of the enterprise and helps illustrate alignment of new business initiatives and the risks that arise as a result.


Be prepared

Cybersecurity increasingly becomes a Board-level matter, CISO’s need the ability to report on their progress and activities as efficiently as a CFO can with a balance sheet and statement of cash flows. The four compliance and risk documents (Executive Risk Report, Trend Report, GDPR Report, and Overview Summary) do just that - these reports empower a CISO to effectively communicate their operations to the CEO and Board. With a shift from a high/low to good/bad risk mindset, a CISO presents themselves as what they always were - an asset to business operations.

You may also like

Zero Trust Security – A Quick Guide
on January 24, 2022

Zero Trust is a security framework that requires authentication, authorization, and validation from all users, whether inside or outside the organization's network. This is ...

CyberStrong December Update
on January 20, 2022

December Product Update Crosswalks, graphics, and filters - Oh my! 🎵♪🎵 New crosswalks on frameworks and labels on graphics Helpful team filters and alerts on late status Clear ...

Kyndall Elliott
CEO's - Do You Know Where That ...
on January 3, 2022

It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. Headlines are dominated by breaches and hearings of information ...

Jerry Layden
CyberSaint's Response to the Log4j ...
on December 23, 2021

Members of the CyberSaint Community, My name is Padraic O’Reilly, the Chief Product Officer of CyberSaint. In light of the impacts of the Log4j vulnerability on the greater ...

Padraic O'Reilly
The CEO's Guide To Understanding ...
on December 17, 2021

With high-profile data breaches and cyber incidents capturing headlines almost weekly, business leaders are getting a front-row seat to the impact cybersecurity can have on an ...

Jerry Layden
The Guide To A CEOs First ...
on December 16, 2021

One of the most significant challenges that CEOs and business-side leaders are faced with when tasked with implementing a cybersecurity program is the board-level reporting that ...

Jerry Layden