Something I’ve been reflecting on lately: When the board asks “Are we safer than last quarter?” what do you typically lean on to answer that with confidence? – Risk scores? – Reduced findings? – Fewer incidents? – Gut + experience? Would love to hear how others frame this internally.

I would turn to any KPIs / metrics I am using. This will help you to provide solid evidence of improvements months on month. Metrics can include incidents detected, maturity across various controls, risk identified, mitigated, reduces etc. You need to be in a position, where you can answer the question yourself before you start translating the security posture to the board.

Try to communicate on business risks reduction, not tools - “We are x% within the cyber risk appetite approved by the board earlier this year.."
Use language that communicates trend - “Compared to last quarter, our detection coverage and response speed improved by z%..."
Tie ending of your presentation to a framework - “Finally, our overall ISO 27001 control coverage improved from x% to y%, aligned with the strategic program I presented, and you had concurred with..."

The thing I like about this way of presenting 'Are we safer than last quarter - type queries?" is that this gives the board a defensible, metrics‑backed yes or no with context, tied directly to risk appetite and strategy rather than a subjective and direct Yes/No. Who knows, you might be presenting board the ransomware fallout by next week/month while you are only at the initial stages of implementing your strategic defense program.

I would lean on combined view, by showing the board risk scores trending either up/down, fewer serious incidents, and progress on reducing high risk findings in a way that's tied to the business impact. Combination of these can be further categorized to specific areas by using tool like CRQ/Risk dashboard (For overall Org Cyber risk score), Qualys/Tenable (for vulnerability backlog) , SEIM/EDR (For incidents count going low / handled faster) , Axiad (Quantify Identity risk), Living Security (For Human Security Risk) etc.

The threat landscape is constantly evolving, and controls that are effective today may not remain so tomorrow. For that reason, I avoid giving absolute assurances like ‘we are safer than last quarter.’ Instead, I focus on two things:

What the latest threat trends are, and
How well our current controls align with those risks.

If we identify gaps where controls are insufficient against emerging threats, I believe in being transparent with the board. This not only builds trust but also creates an opportunity to secure their support and resources to address those gaps. Ultimately, the goal is to foster a relationship where cybersecurity is seen as a shared responsibility, not just a quarterly metric.

We are using our CIS/NIST scoring as part of the presentation and summaries of controls invoked and level of implementation . Additionally, we also use NIST CSF diagram where controls are the governance "circle" and we bullet list highlights in new implementation of tools or measures as they relate to Identify, Protect, Detect, Respond, Recover elements. There is a difficulty in stating "more safe" which implies to some leaders as "entirely safe", but rather we are reporting on the steps of continuous improvement, along with third party scans and probes.