For many Chief Information Security Officers (CISOs), reporting to the board of directors has been handled as a reactionary, albeit very necessary task. After all, it’s the board of directors that sit atop the corporate governance model, so it is incumbent upon security professionals to keep them informed. But communicating about security incidents—like the Log4j vulnerability, for example—fielding requests based on regulatory requirements, or answering questions about a breach that happened in the same industry should definitely not be the only moments that CISOs engage their boards.