Most boards now receive cybersecurity updates on a regular cadence. But does “regular” mean “effective”? According to new data from the 2026 CISO-Board Engagement Report —a joint study by IANS Research, Artico Search, and The CAP Group—the answer depends entirely on what you’re measuring.

When it comes to CISO board cybersecurity reporting, directors are drawing a clear distinction: updates that describe where things stand today are received reasonably well. Updates that help them anticipate where things are headed are not.

DOWNLOAD NOW: 2026 CISO-Board Engagement Report

Overall Effectiveness: Only 29% of Directors Say Cyber Updates Are “Very Effective”

According to board directors surveyed for the 2026 report, just 29% describe the cybersecurity updates they receive as very effective. A majority (53%) say updates are only somewhat effective, while 18% are neutral.

That overall picture is mediocre, but it masks a more specific and actionable finding. When directors rated quality across six key reporting areas, a consistent pattern emerged: reporting on current-state risk and program operations is working. Reporting on future risk is not.

Where CISO Board Cybersecurity Reporting Is Working

Board directors gave their highest quality marks to topics tied to governance and current-state program management:

• Regulatory trends affecting risk: 82% of directors rated this area as good/satisfactory (53%) or excellent (29%), representing the strongest result across all six topics.
• Cyber program key initiatives: 70% rated quality as good/satisfactory (41%) or excellent (29%).
• Cybersecurity budget and resourcing: 62% rated quality as good/satisfactory (31%) or excellent, with 31% rating it excellent, making it the highest excellent rating of any category.

These results suggest CISOs have made meaningful progress on the operational and compliance dimensions of board reporting. Directors feel adequately informed about how security programs are resourced, what they’re focused on, and how they map to regulatory requirements.

Figure 3

Where CISO Board Cybersecurity Reporting Is Falling Short

The gaps emerge sharply on forward-looking risk topics:

• Impact of evolving threats: 53% of directors said quality needs improvement, the worst-rated area in the entire study. Only 6% rated it excellent.
• AI and emerging tech trends: 47% rated this area as needing improvement, with only 12% rating it excellent.
• Cyber business risk assessment: 41% said this area needs improvement, and only 6% found it excellent.

More than half of board directors feel their CISOs are not adequately preparing them to understand how fast-moving threats, especially AI-driven ones, could shift the organization’s risk trajectory. Boards that aren’t hearing about these dynamics from their CISOs are making oversight decisions with incomplete information.

Brian Walker, founder and CEO of The CAP Group, frames the stakes clearly: "AI is now a primary driver of cyber risk, enabling more sophisticated attacks while also introducing new forms of loss as AI models become high-value assets. AI and cybersecurity are inextricably linked, and boards must understand the business risks of both."

DOWNLOAD NOW: 2026 CISO-Board Engagement Report

What This Means for CISO Board Cybersecurity Reporting Strategy

The Figure 3 data from the 2026 report points to a specific, addressable gap. The current-state metrics, program updates, and compliance summaries that anchor most board presentations are performing adequately. What’s missing is a forward-looking layer: horizon scanning, emerging threat scenario analysis, and clear articulation of how AI-related risks could alter the organization’s trajectory.

For CISOs, the implication is not about adding more content to board presentations; it’s about reframing the narrative. Shifting from “here is where we are” to “here is what we are watching and why it matters to our business strategy” is exactly the kind of elevation that board directors say they want from CISO board cybersecurity reporting.

As one board director at a publicly listed company noted in the report: "We get a clear picture of the current risk posture, but I'd like updates to focus more on what's coming next: how emerging threats, including AI-driven risks, could shift our trajectory and what adjustments we should be considering."

Get the complete CISO-Board Engagement Report now!

New data from IANS Research, Artico Search, and The CAP Group shows that while 95% of CISOs brief their boards regularly, those discussions often center on compliance rather than strategic risk. The  2026 CISO-Board Engagement Report, based on surveys of board directors and more than 663 CISOs, reveals where expectations diverge and how leading security leaders close the gap. The report highlights why cadence doesn’t equate to depth, why boards believe CISOs underdeliver (including on emerging threats and AI risk), and why only 15% of CISOs help shape strategy. Download the snapshot to gain practical, data-backed guidance for improving board-level cyber reporting, strengthening trust, and elevating cybersecurity conversations in the boardroom—and reach out if you’d like to discuss what these findings mean for your organization.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.