Frontrow Technology
← All insights & guides
Guide

Cyber Security

What a cyber report for the board should actually contain

Most cyber board reports either overwhelm with green ticks or underwhelm with generic incident counts. Here's what an Australian non-exec director actually needs to see every month.

Graeme Lodge · 22 April 2026 · 7 min read

Cyber is now a standing board agenda item in most Australian mid-market businesses. The OAIC, APRA and the ASX have collectively ensured it — after Optus, Medibank, Latitude and the steady drumbeat of smaller breaches, a non-executive director who isn't asking cyber questions isn't doing the job.

The problem is that most cyber board packs are still written by IT teams for IT teams. They report incidents that were closed, tickets that were resolved and patches that were applied. None of that tells a director whether the organisation is more or less exposed than last month.

Here's what we put in front of a board monthly. It's four pages, five metrics, one narrative.

Metric 1 — Essential Eight Maturity Level, per strategy

Eight rows, one per strategy. Three columns: current ML, target ML, trend (↑, →, ↓). A board can read this in 30 seconds and ask the right question — 'why is Strategy 3 trending down?' — without needing a cyber background.

Targets should be an explicit board decision. Most mid-market Australian businesses should be running at ML2. Explicitly setting that target in the minutes gives the cyber team budget cover and the board a defensible risk posture.

Metric 2 — Identity posture, four data points

  • Percentage of users with MFA enforced (target: 100%)
  • Percentage of admin roles with PIM activation required (target: 100%)
  • Number of standing Global Administrators (target: ≤1 break-glass)
  • Percentage of sign-ins marked as high-risk in Identity Protection (track trend, explain spikes)

Identity is the front door. If the board only reads one slide, let it be this one.

Metric 3 — Patching SLA performance

Two numbers: percentage of critical patches deployed within the SLA window, and the longest current in-the-wild exploited CVE on your fleet. The second number is the board's cyber equivalent of the air quality index — high numbers are scary, trending to zero is reassuring.

If your SLA is 14 days for critical and your longest outstanding exploited CVE is 47 days old, the board now has a specific question: what's the remediation plan and by when?

Metric 4 — Incident summary with trend, not count

Raw incident counts are noise. What matters: mean time to detect, mean time to respond, and the count of incidents that required escalation to an exec. Three numbers, plotted over 12 months, tell a board whether the cyber capability is maturing.

Pair that with one narrative slide per quarter on the most significant incident of the period: what happened, what it surfaced, and what changed as a result. Boards don't need zero incidents; they need evidence that the ones you had taught the organisation something.

Metric 5 — Capability progression, not spend

Most boards ask 'are we spending enough on cyber?' The better question is 'what capability did we acquire or retire this quarter?' Stood up Purview DLP? Retired a legacy AV tool? Brought Intune compliance enforcement to 100% of the fleet? Report the capability delta, not the budget.

Spend tracks capability; it doesn't lead capability. A board that asks about capability first, budget second, is a board doing its job.

The one-page narrative

Four metric pages + one narrative page. The narrative is 300 words, in plain English, from the CISO or the accountable executive. It answers three questions: are we more or less exposed than last month, what is the biggest risk right now, and what decision do we need from the board.

A board that reads this monthly can govern cyber without being cyber experts. A board that doesn't, can't — regardless of how expert its members individually are.

Try it

Start with an Essential Eight baseline for your board pack

Run the tool to generate a PDF that doubles as the first month's E8 report — strategy scores, target levels, priority gaps.

Score each of the 8 strategies

Where are you on the Essential Eight — honestly?

Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.

What's your target Maturity Level?

Maturity Level 2 — most orgs' pragmatic target

  • 01

    Application control

    Only approved applications can execute on workstations and servers.

  • 02

    Patch applications

    Internet-facing apps, browsers, Office, PDF readers patched promptly.

  • 03

    Microsoft Office macros

    Macros disabled unless from trusted locations and signed by a trusted publisher.

  • 04

    User application hardening

    Web browsers and productivity apps hardened against the most common attacks.

  • 05

    Restrict administrative privileges

    Admin accounts limited, separated and reviewed — the crown jewels of the tenant.

  • 06

    Patch operating systems

    Operating system patches applied on a schedule that matches the risk.

  • 07

    Multi-factor authentication

    MFA everywhere that matters — privileged accounts, remote access, important data.

  • 08

    Regular backups

    Backups of important data, configuration and software — and restores you have actually tested.

What not to include

  • Ticket counts and mean resolution time — operational metric, not board-level.
  • Patch count by vendor — meaningless without SLA context.
  • Screenshots of vendor dashboards — nobody reads them, they signal delegation to the tool.
  • Everything in green — if every metric is green every month, the metrics are wrong. Targets should occasionally be missed; the board should see it and the recovery plan.

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chat1300 012 466