There are two times you might have to talk to your organizations board of directors about security: before a breach and after. Your job is to provide the board with perspective and not necessarily details. The board isnt looking for a scapegoat or someone to blameit wants assurances that the leak has been plugged and an assessment of the damage done. Talking about information security with the board after a breach is a more stressful situation, says Michelle Drolet. You need the board behind you because you work within constraints imposed by the board and upper management.”]
Source: https://www.csoonline.com/article/3190649/how-cisos-should-address-their-boards-about-security.html