If you’re a Chief Information Security Officer (CISO), you’re probably living this paradox: you’ve never had more data about your environment, yet it’s still hard to answer the board’s favourite question:
“Are we secure – and is it getting better or worse?”
Meanwhile, the pressure is rising. By 2026, at least 50% of C-level executives will have performance requirements related to cyber security risk written into their contracts. Cyber risk is now a performance metric, not a side-topic, which makes how you report posture a strategic issue.
Why posture reporting is so hard
The problem isn’t a lack of metrics; it’s turning them into a story.
Most security functions juggle vulnerability scores, cloud risk ratings, Microsoft Secure Score and a handful of internal key performance indicators (KPIs). Each is useful. Together, they’re noisy. The challenge is compressing all of that into one narrative a non-technical board can understand and use.
On top of that, posture reporting is often stuck in snapshots: last quarter’s audit, a pentest from months ago, a static export pulled the week of the board meeting. Your environment and threat landscape, however, change daily. Without a clear sense of direction – are we improving, flat or regressing? – you end up telling the story from memory rather than from evidence.
Then there’s the language gap. Your team understands why enabling multi-factor authentication (MFA), tightening Conditional Access or hardening device baselines matters. To the board, that needs to land as something closer to:
“We’ve reduced the likelihood of one of our top attack paths being exploited.”
That jump from configuration change to risk movement is where many posture reports fall over.
Even when you can show improvement, the next question is inevitable: “Is this good? How do we compare to others like us?” Without at least basic benchmarking, it’s hard to know whether you’re leading, lagging or comfortably average – and “average” may not align with your risk appetite.
Secure Score: a useful anchor, not a silver bullet
If you’re heavily invested in Microsoft 365 and Defender, Microsoft Secure Score is one of the more practical posture signals you have. It measures how well you’ve implemented recommended controls across identities, devices, apps, and data. A higher score means more controls in place, it highlights what to improve next, and it gives you some benchmarking against other organisations.
That makes Secure Score a solid common language for Microsoft-centric posture.
But on its own, it’s not enough for CISO-level storytelling. It typically lives in a portal your executives never open, the default view is short-term, around 90 days, and the “why” behind movements in the score isn’t always obvious to non-specialists.
You don’t need yet another score. You need a way to use Secure Score as an anchor for a clear, long-term posture story.
What “good” posture reporting should do
Forget perfection. A useful posture view lets you answer three questions on a single slide:
- Where are we now? – Overall and category posture in a board-friendly visual
- How is it changing? – A simple trend over time: improving, flat or regressing
- What are we doing about it? – A short, prioritised list of actions and expected impact.
If your current reporting can’t do that, it’s making life harder than it needs to be.
It should also connect actions to posture. For each reporting cycle, you want to say: “We did these things – for example, stronger MFA, tighter admin access, onboarding new workloads with better defaults – and they moved our posture by this much.” Your engineers care about the what; your board needs the so what.
Just as importantly, it should show a journey rather than a single number. Boards respond well to, “Here’s where we started, here’s what we’ve done over the last 12 months, and here’s where we’re heading next.” That’s far more powerful than dropping a lone score into a deck.
Finally, a good posture story adds enough context to be meaningful. You don’t need an industry-wide data lake, but even simple, anonymised benchmarking – “you’re around the median for organisations of similar size” or “you’re ahead of many peers here but behind there” – moves you from “we feel okay” to “here’s where we actually stand.”
How we’ve approached it
In our own work, we kept seeing the same gap: customers were investing in configuration changes and proactive hardening, but still struggled to explain what had actually changed. The questions were almost always some version of:
“What’s changed in our Microsoft security posture since we started this engagement?”
“How do I evidence that for my execs and board?”
To address that, we built a Security Posture view into our Clarity managed security platform. It uses Microsoft Secure Score as the anchor metric, extends the view beyond the native short window to show longer-term trends, overlays which recommendations were actioned and when, and adds comparison against anonymised peers to give context.
The goal isn’t to throw another dashboard at you. It’s to give your internal champions – you, your Head of IT, your risk colleagues – a cleaner, more defensible Microsoft posture story. That’s the bar we’d set for any tooling you use: Does it help you tell the story, or does it just add another graph?
A quick self-check
If you want to stress-test your current posture reporting, ask yourself:
- Can I explain our posture on one slide to a non-technical audience?
- Can I show how it’s changed over the last 12 months, with clear links to actions?
- Can I confidently name the top three actions that will move our posture most next quarter?
- Can I say, with some evidence, how we compare to similar organisations?
If a few of those feel shaky, you’re not alone. But as cyber risk becomes a formal part of executive performance, getting those answers onto firmer footing is worth the effort.
And if you’re wrestling with how to turn tools, scores and reports into a simple, credible posture narrative for your board, it may be time to talk about how we can help you report on security posture – especially across your Microsoft estate.
Speak to one of our security posture experts to explore what this could look like in your organisation.
