Accepting a Chief Information Security Officer’s report at face value is a failure of governance. Passive acceptance is not oversight, and it exposes directors to personal liability under Australian law.
By 2026, the standard for director oversight of digital risk will be fundamentally reshaped. The commencement of the Cyber Security Act 2024 on March 4, 2026, will formalise new obligations for the boards of critical infrastructure assets. This legislation, combined with escalating regulatory pressure from ASIC and APRA, means that demonstrating active, critical, and informed oversight is no longer optional. It is the only defensible position for a director in the event of a significant cyber incident.
The Director’s Fiduciary Duty: Why Challenging the CISO is Mandatory
Your duty of care and diligence under the Corporations Act 2001 requires you to engage with, and test, the information presented to you. In the context of cyber risk, this means you cannot simply defer to technical experts. The board is accountable for setting the organisation's risk appetite and ensuring management operates within it. A CISO report is a critical input to that process, but it must be validated, not just received.
The act of challenging a report is not an act of mistrust. It is the mechanism by which you fulfil your legal obligations. Passive acceptance of complex, technical information without asking probing questions may be interpreted by regulators as a failure to exercise due care. The landscape has shifted permanently. Cyber is a core business risk that directly impacts financial performance, reputation, and market standing. It must be governed with the same rigour as any other material financial or operational risk.
This is the essence of ‘defensible oversight’. It is the practice of actively interrogating information, questioning assumptions, and documenting the board’s engagement in minutes. This creates a defensible record demonstrating that directors took reasonable steps to understand and oversee the management of a critical business risk. It is your primary shield against regulatory action and shareholder litigation following a breach.
Australian Legal Frameworks and Director Liability
Several interlocking pieces of legislation set the standard for board-level accountability. APRA’s prudential standard CPS 234 has long established stringent requirements for information security for regulated entities, placing ultimate accountability on the board. For directors of other organisations, the privacy and corporations laws create significant personal risk.
The interaction between the Privacy Act 1988 and state laws like the Crimes Act 1900 (NSW) creates a complex liability environment. A failure to protect personal information can lead to severe penalties, and directors can be held accountable. Regulators like ASIC are increasingly focused on cyber disclosures and the representations made to the market. A misleadingly positive CISO report, if accepted by the board and reflected in public statements, could be viewed as a breach of continuous disclosure obligations.
The new Cyber Security Act 2024 will introduce further obligations, including mandatory incident reporting and risk management program requirements for specified entities. These duties fall squarely on the organisation’s leadership. Understanding how to challenge a CISO report in a board meeting is now a fundamental skill for survival. It is central to proving you have established and maintained a sound governance framework, a topic I discuss further in the context of regulatory settlement agreements.
From the Boardroom
I recall a board meeting for a listed company where the CISO presented a clean dashboard. Every metric was green. Patches were applied, alerts were low, and compliance checks were passed. On the surface, it was a picture of health. The presentation was confident and reassuring.
Yet one director asked a simple question that was not on the dashboard. He asked: “When was our incident response plan last tested against a ransomware scenario involving a compromised supply chain partner?”
The room fell silent. The CISO admitted the plan had not been tested in over 18 months. More importantly, the test that was run did not simulate the failure of a critical third party. The all-green dashboard measured operational activity, but it completely missed a major gap in strategic resilience. The report showed we were doing things right, but it failed to show if we were doing the right things. That moment was a lesson in the critical difference between operational reporting and true governance oversight.
Spotting the Red Flags: How to Identify ‘Vanity Metrics’ in Cyber Reporting
A common failure in board reporting is the presentation of operational data as a proxy for governance effectiveness. CISOs often report on what is measurable, not necessarily what is meaningful to a director. Your role is to distinguish between this ‘operational noise’ and the ‘governance reality’.
Operational noise includes metrics like the number of vulnerabilities patched, the volume of phishing emails blocked, or system uptime percentages. While important for the IT team, these numbers provide little insight into the organisation’s actual risk posture. They describe activity, not outcomes.
Look for these red flags in the reports you receive:
- Lack of Trend Analysis: A report showing 1,000 vulnerabilities were patched this month is meaningless. Is that number increasing or decreasing over time? What is the trend in critical, unpatched vulnerabilities on systems that support key business processes? Data without trends is not information. -
- Missing Business Context: A report stating that a key system is 99% patched is a technical metric. The board needs to know the business impact of the 1% that remains unpatched. If that 1% relates to a vulnerability that could halt your entire payment system, the risk is material regardless of the high-level percentage. -
- The Illusion of Green Dashboards: A report where every indicator is ‘green’ should be met with extreme scepticism. It often indicates that the metrics are not calibrated to the organisation's actual risk appetite or that the CISO is hesitant to deliver bad news. A mature and transparent reporting culture will always highlight areas of concern or elevated risk. A lack of bad news is, itself, bad news.
Technical Jargon vs. Board-Ready Insights
Your CISO must be capable of translating technical concepts into business risk language. It is your right and your duty to demand this. If you are presented with acronyms and technical terms you do not understand, you must stop the presentation and ask for a plain English explanation.
For example, a statement about ‘unpatched CVEs’ should be reframed as ‘a known software flaw that, if exploited, could cause a two-day interruption to our manufacturing operations, costing an estimated $5 million in revenue’. This is the level of translation required for effective board oversight. You must demand that all cyber reporting is explicitly linked to the organisation’s approved risk appetite statement. If the CISO cannot draw a clear line between their metrics and the board's stated tolerance for risk, the reporting is failing. An independent governance assessment is often the first step in establishing this critical baseline.
The Interrogation Framework: 5 Questions Every Director Must Ask
To effectively challenge a CISO report in a board meeting, you do not need to be a technical expert. You need a framework of questions that test the assumptions and validate the governance supporting the data. These five questions are designed to cut through operational noise and get to the heart of defensible oversight.
- ‘What is the gap between our current security posture and our stated risk appetite?’
This question forces a direct comparison between performance and policy. A good CISO should be able to articulate precisely where the organisation is operating outside of its approved risk tolerance. The answer reveals whether the board’s strategic guidance on risk is actually being implemented. - ‘How do we know our critical controls are working effectively right now?’
Many reports show that controls exist, but not that they are effective. The answer to this question should involve evidence from independent testing, such as penetration tests or recent audit findings. It tests the ‘trust but verify’ principle and moves beyond assertions to evidence. - ‘What are the three most critical risks that could stop us from operating tomorrow, and how are we treating them?’
This focuses the conversation on existential threats. It moves away from a long list of minor risks to the concentrated, material risks that matter at a board level. The CISO’s response should be clear, concise, and directly linked to specific business processes like payroll, customer fulfilment, or production. - ‘Is our cyber strategy funded for compliance or for resilience?’
This question uncovers the strategic intent behind the cyber security budget. A budget focused on compliance aims to meet minimum regulatory standards. A budget focused on resilience aims to ensure the organisation can withstand and recover from a sophisticated attack. The answer reveals the organisation's true ambition and preparedness level. - ‘How is our strategy adapting to systemic threats like AI-driven attacks and supply chain compromise?’
This final question tests whether the cyber strategy is forward-looking. A static strategy is already obsolete. The CISO must demonstrate an understanding of the evolving threat landscape and explain how the organisation’s defences are being adapted to counter next-generation threats. This is a key component of a modern board cyber governance strategy.
Moving Toward Defensible Readiness
Asking these questions is the first step. The next is to ensure the process is documented. Your challenges, and the responses from management, must be recorded in the board minutes. This record is a crucial piece of evidence that the board is actively engaged in its oversight duties. It is the foundation of a defensible position in any subsequent regulatory investigation.
Furthermore, the board should not rely solely on the CISO’s internal reporting. The ‘trust but verify’ model is best practice. This involves engaging independent advisors periodically to validate the information presented to the board and provide an external, unbiased perspective on the organisation’s true risk posture. This external validation is a powerful demonstration of due diligence.
Taking the Next Step in Governance
Reviewing reports is a critical, but passive, activity. To truly test the organisation’s resilience, the board must move toward active assurance. This includes participating in board-level incident simulations to test decision-making under pressure and commissioning deep-dive reviews of governance in critical areas.
Effective oversight is an active, continuous process. It requires courage to ask difficult questions and a commitment to demanding clarity. By adopting a structured framework for interrogation, you can transform the CISO reporting process from a technical update into a powerful tool for strategic governance.
Frequently Asked Questions
What is the most important metric a board should look for in a CISO report?
There is no single metric. The most important element is context. A board should look for metrics that are trended over time, benchmarked against peers, and directly mapped to the organisation's specific risk appetite statement. The key is to see reporting that translates technical data into potential business impact.
How can a non-technical director effectively challenge a technical CISO?
By focusing on governance, not technology. Ask questions about business outcomes, risk, and process. Use the interrogation framework above. Questions like ‘How does this investment reduce our risk of a material business interruption?’ or ‘How do we know this control is working?’ do not require technical expertise but cut to the core of effective oversight.
What happens if the board ignores a warning in a CISO report?
Ignoring a documented warning is a significant failure of a director's duty of care. If a subsequent incident occurs related to that warning, regulators and courts will likely view the board’s inaction as negligent. It creates immense personal liability for directors and would be extremely difficult to defend.
How often should the CISO present to the board in Australia?
For most large or complex organisations, the CISO or an equivalent senior technology risk leader should present at every board meeting. Cyber risk is a dynamic, persistent business threat, not a quarterly IT issue. The frequency should reflect the risk profile of the organisation, but a quarterly update is now widely considered insufficient for demonstrating adequate oversight.
If this resonates, I would welcome a conversation.
Cyber Governance Deep Review
aradvice.com.au/contact.html
Article by
Andrew Roberts
Founder and Principal Advisor at Andrew Roberts Advisory. I work directly with Australian boards and non-executive directors on cyber governance, AI governance, and IT general controls and strategy, translating complex regulatory terrain into clear, defensible oversight frameworks that directors can own and act on.
I have founded and exited two technology companies. I founded Field Solutions Group, served as Group CEO for a decade, and led the ASX listing in 2017. During that time I held direct board accountability for cyber risk, ISO 27001 certification, and governance at the listed company level. I have also served as Deputy Chairman of a federally funded Cooperative Research Centre.
I am a Member of the Australian Institute of Company Directors (AICD) and the Australian Computer Society (ACS), holding the ACS designation MACS (Snr) CP (Cyber), and am a Member of ISACA.