top of page
Search

Beyond the Scorecard: Transforming Board Reporting from "Score Chasing" to Strategic Risk

  • Writer: Martin Bally
    Martin Bally
  • Jan 22
  • 3 min read


How to Shift the Board Conversation from "Target Scores" to Strategic Resilience


Early in my tenure at a previous organization, I found myself in a familiar cycle. We had just finished an annual risk assessment. Naturally, the Board asked the question that every Director is conditioned to ask:


"Okay, we are at a 2.5 today. What is the target score for next year? Should we be a 3.5? A 4.0?"


They were treating cybersecurity maturity like a sales forecast, pick a number, hit the number, celebrate.


It took strategy and a few difficult conversations to change that mindset. We had to teach the Board that we weren't chasing a number; we were chasing risk management. My core philosophy was this: If we appropriately manage risk and align with business objectives, our scores will naturally rise to be on par with or greater than our industry peers.


Here is how we moved the Board from chasing targets to understanding value.


1. Change the Ruler (The Assessor Pivot)

Our initial scores were based on a narrower view of the world. To get the Board to trust the "risk-first" narrative, we needed better data.


We issued an RFP and switched to a "Big 4" assessor. We didn't do this for the brand name; we did it for the context. We needed a partner that understood the full breadth of our industry, manufacturing, warehousing, and supply chain, not just general corporate IT.


We also expanded the scope to include an Operational Technology (OT) assessment. We told the Board: "We are challenging ourselves. The previous scores were comfortable, but they weren't complete. We are going to shine a light on the factory floor."


2. The "Special Topics" Feedback Loop

Once we stopped fixating on the score, we needed to fill that void with something more valuable: Education.


We implemented a feedback loop with the Audit Committee Chair. Before our quarterly meetings, we would collaborate to propose "Special Topics" for the agenda. This wasn't just us reporting out; it was us answering the questions the Board members were hearing in the wider market.


Because many of our Directors sat on other boards, they brought outside anxieties to the table. We used this to our advantage. We created deep-dive sessions on:


  • Adversarial AI: How bad actors are using new tools against us.

  • Quantum Computing: The future impact on our cryptography and infrastructure.

  • Third-Party Risk: How we manage the extended enterprise.

  • Physical Security & Drones: Merging the digital and physical threat landscapes.


This mechanism turned the meeting from a defensive grilling into a proactive strategy session. It allowed the Board to feel heard and educated, rather than just "reported to."


3. Cybersecurity is a Shared Responsibility

The "Special Topics" approach naturally led to a broader realization: Security isn't just an IT problem.


For example, when we discussed drones and physical security, we highlighted our partnership with the Physical Security teams. When we addressed Business Continuity—an area where we historically lagged behind peers, I didn't just ask for a budget to fix a metric.


I partnered with the business unit responsible for continuity and Internal Audit. We applied the Deming Model (Plan, Do, Check, Act) to build a rigorous program.


As we formalized the process, our NIST scores in that domain naturally ticked up. The Board saw that the score increase was a byproduct of cross-functional partnership, not the goal itself.


4. The Result: The "State of the Union"

By the time we moved to the NIST CSF 2.0 framework, the conversation had fundamentally changed.


In my last "State of the Union" address to the full Board, the "Target Score" question had vanished. They finally understood that our program was aligned to the threat landscape, pulling spending forward for AI or OT risks, and pushing it back elsewhere.

The results spoke for themselves:


  • Overall: Our scores were inherently 0.1 to 0.2 points higher than our industry peers.

  • OT Security: We were significantly higher than peers, a direct result of partnerships with engineering, supply chain, and plant IT that we started back in 2016.


We reported success, not because we hit an arbitrary "3.5," but because we could map every improvement back to a business objective.


The Takeaway

If you are a CISO facing the "What's the target?" inquisition, remember:


  1. Benchmark Broadly: Ensure your peers are actual peers (including OT/Manufacturing).

  2. Create a Feedback Loop: Ask your Board what they are worried about (AI, Quantum, Supply Chain) and build your agenda around that.

  3. Report on Risk, Not Math: Educate the Board that if you manage the risk and build the partnerships, the score takes care of itself.


We stopped chasing targets, and in doing so, we caught up to, and passed, the competition without overspending and keeping our OpEx flat.

 
 
 

Comments

bottom of page