{"id":20972,"date":"2026-06-27T11:00:00","date_gmt":"2026-06-27T11:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/?p=20972"},"modified":"2026-07-09T16:21:59","modified_gmt":"2026-07-09T16:21:59","slug":"supervisory-board-reporting-key-figures","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/06\/27\/supervisory-board-reporting-key-figures\/","title":{"rendered":"Five Metrics the Supervisory Board Actually Understands"},"content":{"rendered":"<p style=\"color:#69d8ed;font-size:0.9em;margin:0 0 16px;padding:0;\">6 min read<\/p>\n<p><strong>A scene from the supervisory board meeting: forty slides, a million blocked attacks in a bar chart, a green compliance dashboard. The board nods and asks no questions. Three months later a core process goes down for two days. The same board members ask why nobody had the risk on their radar. The problem wasn&#8217;t too little reporting. It was the wrong kind. Whoever counts blocked attacks delivers activity. Whoever makes strategic risk visible delivers a basis for decisions. That difference decides whether a CISO gets taken seriously.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li><strong style=\"color:#69d8ed;\">The BSIG binds management, not the board:<\/strong> Section 38 obligates the management to implement risk management measures and to monitor their implementation. A direct reporting line from the CISO to the supervisory board isn&#8217;t specified there.<\/li>\n<li><strong style=\"color:#69d8ed;\">The information requirement comes from corporate law:<\/strong> The supervisory board oversees management under Section 111 of the German Stock Corporation Act (AktG), and management must report on the company&#8217;s situation at least quarterly. Cyber risk is part of that situation.<\/li>\n<li><strong style=\"color:#69d8ed;\">Five metrics are enough:<\/strong> control effectiveness, recovery capability, third-party status, response readiness, and a forward-looking threat outlook. Four show a trend, the fifth is a forward-looking picture. Each one has a clear link to the business.<\/li>\n<li><strong style=\"color:#69d8ed;\">Volume metrics don&#8217;t belong in the boardroom:<\/strong> blocked attacks, firewall alerts, and green checkmarks create the appearance of security without carrying any weight for a strategic decision.<\/li>\n<\/ul>\n<\/div>\n<p style=\"font-size:0.88em;color:#b8c5ce;margin:20px 0 32px 0;border-top:1px solid rgba(230,227,218,0.12);border-bottom:1px solid rgba(230,227,218,0.12);padding:10px 0;\"><span style=\"color:#69d8ed;font-weight:700;text-transform:uppercase;font-size:0.72em;letter-spacing:0.14em;margin-right:14px;\">Related:<\/span><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/23\/which-decision-rights-of-the-ciso-must-be-documented-in-writing\/\" style=\"color:#333;text-decoration:underline;\">Which decision-making rights of the CISO need to be documented in writing<\/a>&nbsp;&nbsp;<span style=\"color:#ccc;\">\/<\/span>&nbsp;&nbsp;<a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/24\/part-time-ciso-what-can-be-outsourced-and-what-must-remain-in-house\/\" style=\"color:#333;text-decoration:underline;\">Part-time CISO: what can stay external, what has to stay in-house<\/a><\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What belongs in cyber reporting to the supervisory board?<\/h2>\n<p><strong>What is board reporting in a cybersecurity context?<\/strong> Board reporting is the condensed, decision-oriented reporting on the cyber risk situation to the supervisory or oversight body. It translates the technical security status into a handful of strategic metrics with trend and business relevance, so the board can assess the effectiveness of the security measures without getting lost in operational tally sheets.<\/p>\n<p>The most common mistake is confusing effort with insight. I&#8217;ve seen reports that listed every firewall rule and every fended-off scan across thirty pages. Impressive to look at, worthless for a decision. A supervisory board doesn&#8217;t want to know how many attacks bounced off. It wants to know whether the company survives an attack that gets through. That&#8217;s a different question. It calls for different numbers.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Why Leadership Is Liable and the Supervisory Board Still Needs the Numbers<\/h2>\n<p>The legal situation often gets oversimplified. Section 38 of the BSIG, in force since 6 December 2025, obligates the management of especially important and important entities to implement the risk management measures under Section 30 and to oversee their implementation. Paragraph 3 additionally requires management board members to attend training on a regular basis. A direct reporting line from the CISO to the supervisory board, however, is not found in the BSIG.<\/p>\n<p>The board&#8217;s right to information arises on a different level. The supervisory board oversees management under Section 111 of the AktG, and for a GmbH with a supervisory board, Section 52 of the GmbHG applies accordingly. At a stock corporation, the management board reports to the supervisory board under Section 90 of the AktG at least quarterly on the course of business and the company&#8217;s situation. At a GmbH with an optional supervisory board, the reporting rhythm follows from the board&#8217;s right to information and the company&#8217;s information policy, in practice usually also quarterly. A cyber risk that threatens the availability, integrity, or confidentiality of business-critical services falls squarely within that situation. What follows is a structured information requirement, not a separate board-reporting law.<\/p>\n<p>For the CISO, this has a practical consequence. His report is formally addressed to management, which needs it to fulfil its oversight duty under Section 38 and to answer to the supervisory board. Good reporting puts leadership in a position to report competently. That is exactly the lever many security leaders underestimate.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Five Metrics That Support a Decision<\/h2>\n<p>The following five indicators cover the strategic information requirement. They are not a legally mandated list. They derive from the minimum measures of Section 30 Paragraph 2 BSIG and translate them into a language a control body from other risk domains already knows.<\/p>\n<div style=\"overflow-x:auto;-webkit-overflow-scrolling:touch;margin:16px 0 32px 0;\">\n<table style=\"width:100%;min-width:640px;border-collapse:collapse;margin:0;font-size:0.95em;\">\n<thead>\n<tr style=\"border-bottom:2px solid #69d8ed;\">\n<th style=\"text-align:left;padding:10px 12px;\">Metric<\/th>\n<th style=\"text-align:left;padding:10px 12px;\">What it answers<\/th>\n<th style=\"text-align:left;padding:10px 12px;\">Replaces the theater of<\/th>\n<th style=\"text-align:left;padding:10px 12px;\">BSIG reference<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Control effectiveness<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Does what we decided actually work?<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Green compliance checkmarks, certificate slide<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Section 30 Para. 2 No. 6 (effectiveness assessment)<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Recovery capability<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">How fast do core processes come back after an outage?<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">&#8220;Backups are running&#8221; without recovery proof<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Section 30 Para. 2 No. 3 (operations, backup, crisis management)<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Third-party status<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Which critical dependencies remain unchecked?<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Total count of active SaaS contracts<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Section 30 Para. 2 No. 4 (supply chain security)<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Response readiness<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Could we act under pressure?<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Number of blocked attacks, alert volume<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Section 30 Para. 2 No. 2 (incident handling)<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Threat landscape (forward look)<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Which initiative is changing our risk?<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Static risk matrix, unlinked CVE list<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Section 30 Para. 2 No. 1 (risk analysis)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p><strong>Control effectiveness.<\/strong> The share of business-critical controls that reach a defined effectiveness threshold, shown with the change versus the prior quarter and the three largest open gaps along with the planned closure date. Examples include multi-factor authentication coverage on privileged accounts, patch-deadline compliance on internet-facing systems, or logging coverage. The board recognizes the same audit pattern here as with internal financial controls. The traffic-light color is secondary, the trend is the message.<\/p>\n<p><strong>Recovery capability.<\/strong> For defined critical business processes, the recovery time achieved in drills or real incidents and the maximum tolerated data loss, plus the date of the last successful recovery exercise. This metric translates technical resilience into business downtime, a figure every supervisory board recognizes from production or logistics. The number of successful backups says nothing, though, as long as recovery has never actually been tested.<\/p>\n<p><strong>Third-party status.<\/strong> The share of critical suppliers with a current risk assessment, the open high-risk findings, and a flag for concentration when a single vendor carries several core functions. Third parties are strategic dependencies. Dependency is a language a control body understands. I have described elsewhere in more detail how a supply chain risk becomes a manageable program.<\/p>\n<p><strong>Response readiness.<\/strong> For relevant incidents and exercises, not everyday alerts, three things count: time to containment, whether escalation paths held, and the implementation status of measures from the post-incident reviews. As a governance indicator, the status of reporting obligations under Section 32 BSIG can be added. The central question after a real incident isn&#8217;t how many attacks bounced off. It&#8217;s whether the team could handle the one that got through.<\/p>\n<p><strong>Threat landscape as forward look.<\/strong> The only forward-looking figure in the set, and also the most important. It is less a number than a structured situational picture. Which ongoing business initiatives are changing the risk position, such as a cloud migration, an AI rollout, or an ERP changeover? Which new threat scenarios are hitting the core industry? For each entry: the expected impact, the planned countermeasure, and the point where the board decides on risk appetite, budget, or an approval requirement. In many meetings, the review of completed programs dominates. The forward look must therefore be prepared deliberately, or it won&#8217;t show up. That exact gap is what a good CISO actively closes.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What Doesn&#8217;t Belong on the Board&#8217;s Desk<\/h2>\n<p>As important as picking the right five metrics is the discipline to leave the rest out. Operational metrics belong in the CISO&#8217;s report to executive management, in the security team&#8217;s dashboards, in the operational threat picture. On the supervisory board, they do damage: they absorb attention without enabling a decision.<\/p>\n<p>Blocked attacks and firewall alerts are pure volume figures. They rise with company size and say nothing about effectiveness. Patch numbers without reference to an agreed deadline are activity without a yardstick. A green compliance dashboard or a fresh certificate proves that a process was checked once, not that a control holds today. Whoever presents these metrics creates an impression of security that shatters at the first real incident.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">The Rhythm: Quarterly Status, Immediate Exception<\/h2>\n<p>The BSIG sets no reporting frequency for the board. The cadence follows from corporate law. At a stock corporation, the management board reports on the situation at least quarterly under Section 90 of the German Stock Corporation Act (AktG); at a GmbH, a comparable rhythm follows from the right to information and the rules of procedure. Cyber reporting takes its cue from that. The quarterly report shows the current value and trend per metric, the annual report adds strategic program maturity. If a significant incident or a far-reaching IT decision occurs, the ad hoc channel that Section 90 AktG opens through the supervisory board chair kicks in.<\/p>\n<p>A word on the financial sector. For companies falling under DORA, the regulation is the more specific law. There, the management body defines, approves, and oversees the framework for information and communication technology risk management. Under Article 5(4) DORA, its members are subject to their own continuing-education obligation. DORA thus mainly tightens governance and the information flows to the management body. The five metrics remain workable, the cadence toward the supervisory board stays grounded in corporate law and is supplemented by the expectations of financial supervisors.<\/p>\n<p>In the end, good board reporting is an act of translation. A handful of figures, each with a trend or a status picture and a sentence tying it to the business, each with a clear recommendation. That&#8217;s less material than the usual forty slides and considerably more impact. Condensation creates room for the questions that actually matter. And good follow-up questions are what a CISO wants to walk away with from the boardroom.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Every question is locked. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>What metrics does a supervisory board expect from a CISO?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The law does not name a fixed list. In practice, five strategic indicators carry the weight: the effectiveness of critical controls, the recovery capability of business-critical processes, the risk status of critical third-party providers, incident response readiness, and a forward-looking threat and change landscape. Each should show trend and business relevance.<\/p>\n<\/details>\n<details>\n<summary><strong>How often should cyber risk be on the supervisory board&#8217;s agenda?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The BSIG 2025 does not prescribe a fixed frequency for the board. At a stock corporation, the management board reports to the supervisory board under Section 90 AktG at least quarterly on the company&#8217;s situation; at a GmbH with a supervisory board, a comparable rhythm follows from the right to information and the information policy. Cyber reports follow this pattern: quarterly for status and trend, immediately for major incidents or strategic IT decisions.<\/p>\n<\/details>\n<details>\n<summary><strong>What does Section 38 BSIG require of management?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Section 38 obliges the management of especially important and important entities to implement the risk management measures under Section 30 and to oversee their implementation. In addition, under paragraph 3, members of management must attend training regularly. The BSIG does not name a direct reporting line from the CISO to the supervisory board. The CISO reports to management. The supervisory board receives its information through management&#8217;s reporting duty under corporate law.<\/p>\n<\/details>\n<details>\n<summary><strong>Which metrics are unsuitable for board reporting?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Unsuitable are volume-based operational metrics without business relevance: blocked attacks, firewall alerts, patch counts without deadline context, as well as pure compliance checkmarks or certificates without proof of effectiveness. They create an impression of activity but give the board no basis for a strategic risk decision.<\/p>\n<\/details>\n<p><!--ST-LOWER-CARDS lang=de--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/23\/which-decision-rights-of-the-ciso-must-be-documented-in-writing\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/ciso-mandat-entscheidungsrechte-eskalation-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Which decision rights the CISO must have in writing<\/span><\/span><\/a><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/security-stack-konsolidierung-controls-nis2-paragraf-30-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Which controls can&#8217;t disappear when you trim your tool stack<\/span><\/span><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/16\/nis2-after-the-deadline-now-the-bsi-supervision-begins\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/nis2-aufsichtsphase-bsi-pflichten-deutschland-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">NIS2 after the deadline: BSI oversight now begins<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.digital-chiefs.de\/geopolitik-datacenter-roadmap-lieferketten-capex-cio\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-geopolitik-datacenter-roadmap-lieferkett-8054517-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Geopolitics hits the data center roadmap: what CIOs need to secure now<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/eu-ai-act-2026-kennzeichnungspflichten-mittelstand\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-eu-ai-act-2026-kennzeichnungspflichten-m-35346140-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">EU AI Act: what mid-sized companies must label<\/span><\/span><\/a><a href=\"https:\/\/www.cloudmagazin.com\/2026\/06\/16\/xfs4iot-cloud-geldautomat-plattform-synaforce\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-xfs4iot-cloud-geldautomat-plattform-syna-61345494.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">XFS4IoT meets the cloud: the ATM becomes a platform<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n<p>Image source: AI-generated (July 2026)<\/p>\n","protected":false},"excerpt":{"rendered":"Which five key metrics a CISO should report to the supervisory board and why blocked attacks reveal little about the cyber risk situation.","protected":false},"author":50,"featured_media":18201,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"CISO Board Reporting","_yoast_wpseo_title":"Five Metrics the Supervisory Board Actually Understands","_yoast_wpseo_metadesc":"5 key metrics every CISO should report to the board - and why blocked attacks don\u2019t reveal your cyber risk level.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/ciso-board-reporting-kennzahlen-aufsichtsrat-cover-hero.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/ciso-board-reporting-kennzahlen-aufsichtsrat-cover-hero.jpg","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","evm_external_preview_token":"","evm_external_preview_expires":"","_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[258],"tags":[],"class_list":["post-20972","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-strategie-governance"],"evm_reading_time_minutes":11,"wpml_language":"en","wpml_translation_of":18200,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20972","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=20972"}],"version-history":[{"count":5,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20972\/revisions"}],"predecessor-version":[{"id":21105,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20972\/revisions\/21105"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/18201"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=20972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=20972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=20972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}