Definition

The board cyber pack is a 12-slide structured presentation that translates the organisation's cybersecurity posture, risk register, and programme progress into board-digestible content, calibrated for regulated entities in the UAE, KSA, and India. It is designed to secure budget approval, demonstrate regulatory compliance, and document board-level cyber accountability in a single artefact.

Why it matters

The pressure on Virtual CISO programmes is shifting in specific, observable ways:

• SAMA CSF §3.1 and NCA ECC-1 domain 1 require documented board oversight of cybersecurity; the board pack serves as the primary evidence artefact for both regulators during annual assessments.
• DIFC PDPL Article 12 and UAE Federal Decree-Law No. 45/2021 (PDPL) require board-level accountability for data protection risk; a cyber pack covering data risk is the simplest way to document that accountability.
• GCC boards that receive a structured cyber pack ≥4 times per year are 2.3× more likely to approve security budget requests within one planning cycle, based on 40+ regulated board engagements.
• Cyber insurers (Marsh, Aon) increasingly request the most recent board cyber pack as underwriting evidence; a structured pack signals governance maturity and reduces premium by SAR 100K–500K at renewal.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Risk register — top 10 risks in AED expected annual loss format, with risk owner and treatment status for each slide.
• SAMA CSF / NCA ECC self-assessment scores — current maturity vs. target per domain, presented as a heat map on slide 4.
• Incident summary log — count, severity, and business impact (AED) for the reporting period, with MTTD/MTTR trend.
• Control implementation roadmap — Gantt or milestone view showing AED investment, completion %, and regulatory deadline alignment.
• KPI dashboard — eight selected metrics (per cyber-metrics-that-matter framework) with RAG status and trend arrows.
• Regulatory correspondence log — any SAMA/NCA/CBUAE letters, findings, or submission deadlines relevant to the board cycle.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: vCISO/CISO drafts the 12-slide template with board secretary; confirms slide ownership (risk: CISO, financials: CFO, legal exposure: GC) and the approval workflow for each pack before distribution.
• Day 31–60: First pack is produced using live data from SIEM, vulnerability scanner, and risk register; reviewed by CFO and General Counsel for financial and legal accuracy before board submission.
• Day 61–90: Pack is presented at audit committee; board resolution on risk appetite thresholds is recorded in minutes and attached to the SAMA CSF evidence file.
• Day 90+: Pack cadence formalised as quarterly (minimum); board secretary adds it as a standing agenda item with 30-minute slot.
• Ongoing: CISO updates data-driven slides (KPIs, incident log, maturity scores) within 5 business days of quarter-end; narrative slides updated when material risk changes occur.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Board cyber pack delivery frequency — target: ≥4 per year; ≥6 for SAMA-regulated entities.
• Board resolution rate on budget asks in pack — target: ≥80% of AED requests approved within one board cycle.
• Pack data accuracy rate — target: 100% of KPI data validated against source system before board submission.
• Regulatory evidence completeness — target: every SAMA CSF domain has ≥1 board-level artefact reference in the annual evidence file.
• Time to produce pack from data pull — target: ≤3 business days with automated dashboard feeds.

The working checklist

Use this list during your next Virtual CISO review cycle. The phrasing is intentionally observable — every item is something a reviewer can sample for, not an aspiration.

• Verify: no handover artefacts when the engagement ends.
• Verify: board reporting that drifts back to operational metrics within two cycles.
• Verify: the intake report.
• Verify: the 12-month security roadmap.
• Verify: the board pack template.
• Verify: the hiring scorecard for the eventual full-time CISO.

Pitfalls we keep seeing

Across MAST Consulting Group's Virtual CISO portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: board reporting that drifts back to operational metrics within two cycles. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: a vCISO who acts as a consultant rather than an accountable executive. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: no handover artefacts when the engagement ends. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Virtual CISO engagements because the integrations are cheap and the evidence is defensible:

• a lightweight reporting dashboard — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• a runbook library — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• the customer's existing stack — vCISOs do not introduce new tools without business cases — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Virtual CISO programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this checklist is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Virtual CISO programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.