This question was asked at the Cyber Leaders Roundtable on 19 May.
I try to get away from just metrics wherever possible and focus in on having a discussion about the risks. Don’t just talk about people being impersonated, tell a story about how someone transferred money to a scammer and then tie it back to the control you’re putting in place (or asking for money for), then hit them with a figure on how many attempts you get and how effective you are at blocking them.
Boards want to know the risks and how you’re mitigating them. Giving them raw metrics might give them a warm feeling, but doesn’t tell them much.
I think it depends on the level of cybersec awareness the board already has. You need to bring them on a journey get them all up to a similar awareness level. From there you can introduce metrics and risks. Without that common understanding any risks and consequences you present are not going to register.