I’ve been building awareness platforms for over fifteen years, and I lead the engineering team at SMARTFENSE. From that seat I see a pattern that repeats across almost every organization we work with: the CISO does serious work, builds the report, takes it to the board, and still leaves the meeting without having moved a single decision.
The problem isn’t the CISO or the data. It’s the path the data travels to reach the table: when it’s built, how fresh it is when it arrives, and in what format. That’s architecture, and that’s why it lands on me to think about.
Here’s what we see from the side of whoever builds the platform: why board-level awareness reporting arrives late, what the board actually needs, and what we fixed so the answer arrives live. The human part still belongs to the CISO. We take care of the mechanical part.
What does a board actually ask for when it requests “the cybersecurity number”?
We learned this by listening to the CISOs who use the platform. When the board asks for the number, it isn’t asking for a number. It’s asking for a decision that comes already resolved. It needs to answer three things it already has in mind, even if it never phrases them that way:
- Given what we invested, are we better, the same, or worse than six months ago?
- If the board puts more resources on the table, what moves, and by how much?
- What happens if we do nothing over the next cycle?
If the report puts the board in a position to answer those in thirty seconds, the CISO earns its backing. If it delivers twenty slides of click rates and colored bars, the board is left with a vague intuition and a lukewarm answer. Not for lack of understanding: the report’s format simply leaves no material to decide with.
The investment worth making when building the report is to picture the answer the board needs first, then build the data that supports it. What everyone calls “the quarterly report” is not a single object. It’s the top layer of a pyramid with twenty operational dashboards underneath and a single clear decision on top.
What three answers does the board need to hear and almost never receives?
Three answers rarely reach the room complete. The first is where we stand today. Not the click rate of the last phishing simulation, not the percentage of completed courses, but aggregate human risk, with an explicit criterion for what enters the calculation and how it evolved versus three and six months ago. Expressed as a composite number with a trend, the board stops arguing about loose indicators and starts thinking about policy.
The second is where to concentrate the effort. The board doesn’t approve “strengthen awareness”. It approves “allocate X budget to the five most exposed areas over the next ninety days”. With a prioritized list of areas, their exposure, and the expected effect of reinforcement, the board has a binary decision. With a general heat map, it has another meeting.
The third is the counterfactual. What happens to risk if we do nothing? That projection forces everyone to think of awareness as an asset that depreciates, not a one-off expense. It’s the hardest question to ask, because it means admitting that the decision not to decide also carries a cost. And it’s the one that moves the budget needle most.
If the report doesn’t answer those three, the board-level conversation doesn’t advance. It isn’t a data problem. It’s a framing problem.
Why don’t CISOs deliver that report today?
They have the ability. What they lack is time, and the data reaches them stale.
When we look at how a board report is built today, we always find the same artisanal flow. The Friday before the meeting, someone on the team exports the awareness platform report, cross-references it against the active headcount list, cleans out departures, builds pivot tables, hunts for a credible external figure for context, pastes it into three slides, anticipates two questions and prays about the third. Four to six hours if everything is at hand. More, if the last campaign had scope changes.
The result, at best, reflects the snapshot from two weeks ago. But the board operates at the pace of the business: if there was an incident the week of the meeting or the landscape shifted, the report is already useless. And no one is going to rebuild the charts at eleven on a Sunday night.
This isn’t a criticism of the CISO. It’s the description of a manual process that made sense when the board accepted waiting for the quarterly cycle. Today demand moves at the pace of the conversation and leaves the calendar behind. That gap between how the report is built and how the business needs it is a data-architecture problem, and it’s exactly the kind of problem you solve in the platform, not in the spreadsheet.
What changes when the CISO asks the question in natural language?
The center of gravity of the conversation changes. The CISO stops being the one who executes the report and becomes the one who decides which question was worth asking.
Picture the scene, which is already happening with the first teams trying it. The board is in session. Someone asks something that wasn’t on the agenda: “which five areas have the highest human risk, and how much would it drop if we reinforce the phishing simulation in them over the next quarter?”. The CISO asks the platform that same question in plain language and projects the answer two minutes later. Areas, exposure, expected effect, cost of the reinforcement. The decision is made in the room.
What matters isn’t the tool. It’s the transfer: the CISO recovers operational hours, the board gets answers tailored to its questions, and the board-level conversation stops being a translation exercise and becomes a real-time dialogue.
We built that layer at SMARTFENSE and called it Insight Agent. It’s one of the capabilities we designed for mature programs, and it’s currently in its early adopters stage: we’re refining it with the first teams using it on their own data. It doesn’t replace the CISO; it gives them the operational speed they don’t have today. The question still belongs to the person at the table. The difference is that now they can answer it right there.
This lines up with a message we’ve kept consistent at SMARTFENSE for years, and it’s worth reading in full: AI cannot replace human guidance in awareness. It accelerates, amplifies, frees up time. Replacing is something else.
What technical conditions must an AI agent meet to serve the board?
If you’re going to lean your reporting on an agent, there are four minimum conditions. I’ll give them from the side of whoever designs the system, because they’re architecture decisions before they’re interface ones.
- Access to the program’s live state. The agent has to query the platform’s real data at the moment, not improvise from a general model. If the answer to the board depends on stale numbers, the problem is still intact.
- Dashboards built on demand. The board’s question rarely fits a pre-built dashboard. If the agent only navigates predefined visualizations, everything ends up back in a spreadsheet.
- Automatic distribution to the right recipient. The quarterly executive summary should reach the board without someone building and sending it by hand. Speed of response matters less than speed of circulation.
- Awareness-program context, not a generic chatbot. An assistant that answers about everything is an assistant that answers nothing useful. For the board it has to know the program’s logic: campaigns, audiences, metrics, regulations, history.
If the tool you’re evaluating meets those four points, the operational difference shows up fast. If it meets only two, you’ll have a tidy chatbot and a spreadsheet running in parallel.
How mature is the CISO-board conversation today?
Most organizations are on one of four rungs. The first is compliance: the board only listens to the CISO when there’s an audit. The second is operational KPIs: the CISO presents quarterly rates and the board nods. The third is risk narrative: the CISO builds a story connecting the data to decisions, but the cycle is still quarterly. The fourth is actionable conversation: the board asks and the CISO answers with live data in the same meeting.
Few organizations are on the fourth. Most move between the second and the third. The jump to the fourth doesn’t come from the maturity of the CISO as a person. It comes when the cycle between the board’s question and the program’s answer gets shorter, and that cycle is, once again, a platform matter.
That’s the conversation SMARTFENSE wants to enable, and the reason we designed Insight Agent around it. If you want to see it on your own data, reach out to join the early adopters program.
To go deeper into the broader framing, two reads I recommend: is your awareness program measuring what matters? and data-driven decisions with the correlation report. The first helps reframe the metrics; the second shows the operational side of cross-referencing data.
If your CISO leaves the board meeting feeling unheard, my suspicion as an engineer is a different one: they were heard fine, but the report arrived without the freshness or the format to support a decision. That part of the problem is architecture, and that part we can fix.
Leave a Reply