Writing the board cyber-risk report
The paper is due Friday. It has to be honest without spooking the room, and it has to end in the decisions you need. Here is how to make AI write one that is about your company, not any company.
A security leader writing the board cyber-risk report needs a paper that names real exposure in the board's language and ends in the two or three decisions they need, not a fluent status update. Commodity AI writes the generic version: tidy headings, confident tone, nothing true about your quarter. The Havruta Methodology (formerly the Think Partner Methodology) makes the machine play the sceptical director and request what actually changed this quarter, where you are outside appetite, and what you need the board to decide, before it drafts. This is not a reporting tool. It is how the leader reasons with AI on the paper they have to defend.
The situation
A four-page paper is due Friday for the risk committee. It has to be honest about exposure without tipping the room into the wrong reaction, and it has to land the two or three decisions you actually need: the spend, the acceptance, the mandate. The directors do not speak in mean-time-to-respond and patch percentages. The hard part is not what you know. It is the forward-looking judgement about what to watch and why it matters to the business, the part boards say is most often missing.
What commodity AI does with it
Ask for "a board cyber risk report" and you get a paper that could belong to anyone: clean structure, generic risk categories, a confident register, and nothing true about your quarter. It writes in the technical language you are trying to leave behind, or it over-rotates into reassurance that decides nothing. Either way it cannot make the translation the task actually is, from operational reality into a governance decision the board can own.
The Flip: the sceptical non-executive
The move is to make the machine play the non-executive director who will ask the one question you hoped to skip. Instead of drafting your narrative, it attacks it: where is this vague, where are you claiming comfort you have not earned, and what will the audit chair want in money rather than percentages. A paper that survives that interrogation before the meeting is a different paper.
What the machine must ask before it drafts
Before it writes a line, it requests the inputs that make a board paper yours rather than anyone's:
-
What actually happened this quarter, the real incidents, near-misses, and the trend against last period?
-
What is your stated risk appetite, and where are you currently outside it?
-
What are the two or three decisions you need from this board: the spend, the acceptance, the mandate?
-
Who is in the room, and what did they challenge last time?
-
Which risks can you put in business or financial terms, and which are you still carrying as technical only?
That request is Ground Truth: the machine reasons from your quarter and your board, not a plausible average.
The cold draft
Tidy headings, a confident register, nothing true about your quarter: a paper that could belong to any company.
The Flip plays the sceptical non-exec
Instead of drafting your narrative, the machine attacks it: where is this vague, where is the comfort unearned?
The question you cannot yet answer
The one the audit chair will want in money rather than percentages. It surfaces here, in private, before the meeting.
A paper pre-stressed against it
Each exposure tied to a decision the board is asked to make. It walks in having already survived the hardest question.
Draft the board cyber risk update for Friday.
A paper I write cold will read like anyone's. What changed this quarter that the board does not already know, and is any of it outside your stated appetite?
Third-party exposure is up after a supplier incident, and we are over appetite on unremediated criticals in one business unit.
Then those are your two headlines, and each needs a decision, not a status. Do you want the board to fund the supplier-assurance work, accept the residual, or mandate remediation on a clock? And can we put the supplier risk in money rather than a count?
Fund the assurance work. And yes, finance has a loss estimate.
Good. I will lead with those two decisions, carry the figure, and pre-empt the accountability question the audit chair asked last time. Let me draft it so it survives that question.
What you walk away with
A board paper pre-stressed against the hardest question in the room: each exposure tied to a decision the board is asked to make, the forward-looking watch-list the directors said was missing, and the technical reality translated into the governance register. You walk in with a position, not a status update.
The 4-Lines you can run yourself
-
Act as a sceptical non-executive director on my risk committee who will probe every soft claim.
-
Goal: a four-page board paper that names our real exposure this quarter and ends in the two or three decisions I need, in the board's language.
-
Ask me detailed questions and for supporting data before drafting: what changed this quarter, where we are outside appetite, the decisions I need, who is in the room. Challenge anything vague.
-
Ask one question at a time, step by step.
Frequently asked questions
How should a CISO present cyber risk to the board with AI?
By making AI interrogate the paper before it writes it. Have the machine play the sceptical director and request what actually changed this quarter, where you are outside appetite, and the decisions you need, so the draft is about your company and ends in choices the board can own, rather than a generic status update.
Is this a GRC or board-reporting tool?
No. It does not aggregate metrics or generate dashboards. It changes how you, the leader, reason with AI on the paper you present and defend.
How do I get cyber risk into business or financial terms?
By naming, for each headline risk, the decision it requires and the exposure it carries, in money where you have it, rather than a technical count. The methodology makes the machine ask for that translation instead of writing around it; expressing exposure as loss is a recognised discipline that helps a board prioritise.
Why does the generic AI version fail with boards?
Because a board paper's job is translation, from operational reality into a governance decision, and a model writing from generic knowledge cannot make that translation for your quarter, your appetite, and your room. It produces something fluent that says nothing true about you.
Where do we start?
The board paper is a recurring artefact in the Executive 1-1 Coaching Programme. A Strategic Briefing maps the right entry point.