Reporting AppSec risk up to the CISO requires clear and concise reports that provide a holistic view of the application security landscape, including all code-based assets used to build it. This is crucial for making informed decisions on risk and resource allocation. The key to effective reporting lies in understanding how risks are introduced, categorized into three buckets - baseline, preventable, and non-preventable issues - and measuring progress over time. A four-essential category framework should be considered when building reports for CISOs and security leaders, including exposure, management, prevention, and coverage. This approach allows teams to provide contextualized visibility and actionable next steps. The new Enterprise Analytics feature in Snyk provides cross-group insights, sharing of insights with stakeholders, and the ability to report on risk trends such as exposure, management, prevention, and coverage. By adopting this approach and using the right tools, security teams can effectively report risk up to their CISOs.