Your cyber report tells the board what was detected. It rarely tells the board what it actually needs to know.

Thomas Collins, GAICD.

Most boards get a cyber update that looks reassuring. A patching percentage. A phishing click rate. A red, amber or green status. And somewhere near the top, the line every director wants to read: no material incidents this quarter.
It feels like assurance. It is closer to the opposite.
“No incidents detected” and “no incidents occurred” are different statements. The first depends entirely on what the organisation is capable of seeing. A board that cannot tell the two apart is governing on faith, not evidence.
The report most boards read
The standard cyber dashboard reports activity. It counts what the security team did. Tickets closed, systems patched, training completed. Activity is easy to measure and comfortable to present. It answers the question “are we busy?”
It does not answer the question the board owns: are we resilient? Could we detect a serious intrusion, contain it, and keep operating? Would we know within hours, or find out from a regulator, a customer, or the front page?
Those are governance questions. They rarely appear on the dashboard, because the people who build the dashboard are graded on activity, not on the honesty of their blind spots.
Why the green light misleads
A quiet quarter has two possible explanations. Either nothing happened, or the organisation could not see what happened. The board pack almost never distinguishes between them. Detection capability, the thing that decides which explanation is true, is the one number that is hardest to put a confident colour against.
So the board is handed the comforting reading and not the uncomfortable uncertainty behind it. Over several green quarters, confidence hardens. Then an incident lands that was sitting inside the network the whole time, and the question in the room is always the same. How did we not know?
What to ask instead
The fix is not more technical detail. It is sharper questions that move the conversation from activity to resilience. A director does not need to read a firewall log to govern cyber risk well. They need to test whether the assurance holds.
FIVE QUESTIONS THAT GET BEHIND THE DASHBOARD
When did we last test our ability to detect an intrusion, rather than receive a report that says we can?
If our most critical system went down at 5pm on a Friday, what is our honest recovery time, and who has actually rehearsed it?
Which of our third parties could take us offline, and how would we even know they were breached?
What is the one scenario our security team is most worried about, and what is stopping us from closing it?
Does the board get information that lets it govern cyber risk, or status updates that ask it to trust the colour?
The value is in the second-order answer. Ask any capable security leader these questions and the useful response is rarely a number. It is a pause, then an honest account of where the confidence runs out. That is the line of sight a board is supposed to have.
Why this matters now
The regulatory floor is rising under boards as they read. From 1 July 2026 the Scams Prevention Framework places its first obligations on banks, telecommunications providers and designated digital platforms, treating scam and fraud exposure as an enterprise duty rather than an operational task. The SOCI critical-infrastructure reforms are firming up enhanced risk-management duties across cyber, supply chain, personnel and physical security. Ransomware payment reporting is already being enforced.
None of that is governed by a green light. It is governed by a board that knows the difference between being told it is fine and being able to demonstrate it.