The Questions Your Board Should Be Asking the CISO; But Isn't

Boards of directors are increasingly expected to exercise meaningful oversight of cybersecurity risk. Regulators, institutional investors, and insurers now treat security governance as a board-level matter. Yet in most boardrooms, the quarterly security update from the CISO is received and noted rather than interrogated.

This is not because boards lack intelligence or diligence. It is because the questions that would enable meaningful challenge are rarely asked — and when they are, the answers often arrive in formats that prevent scrutiny.

Five questions change this dynamic.

Most CISOs can tell a board about the number of phishing attempts blocked last month, the patch compliance rate, and the outcome of the most recent penetration test. These are activity metrics. They measure what the security team is doing, not whether the organisation would withstand a determined attack.

The question boards should ask is concrete and scenario-based: if an attacker had persistent access to our most sensitive systems for ninety days, what would they be able to do, and would we know? The answer reveals whether detection and response capability is genuinely mature — or whether the organisation is measuring security inputs rather than security outcomes.

Risk registers in most organisations contain hundreds of entries. This level of granularity is operationally useful for security teams. It is not useful for boards. When every risk looks equally important, none of them receive the oversight they warrant.

Boards should expect to see a small number of material risks — the scenarios that would cause serious operational disruption, regulatory consequence, or reputational damage — presented with honest assessments of likelihood, potential impact, and current mitigation effectiveness. If the CISO cannot articulate the top five risks in terms the board can evaluate, the reporting structure needs to change.

The majority of significant breaches in recent years involved a third party. Supplier ecosystems have become the dominant attack surface for well-defended organisations. Attackers compromise a smaller supplier to reach the primary target.

Boards should understand what access their most critical suppliers have, what security standards those suppliers are required to meet, and how compliance with those standards is verified. Self-reported questionnaires are not verification. What matters is whether the organisation has actual visibility into the security posture of the suppliers with access to material systems.

Every organisation experiences security incidents. The question is not whether incidents occur but whether the organisation learns from them. Boards that never hear about security incidents are not operating in a low-incident environment — they are operating in an environment where incidents are not escalated appropriately.

A mature security programme treats incidents as learning opportunities and ensures that lessons reach the people responsible for resource and policy decisions. Boards should expect to hear about significant incidents, understand the root cause analysis, and see evidence that remediation actions have been taken — not as a blame exercise, but as governance.

Security budgets in large organisations tend to reflect historical decisions, vendor relationships, and organisational inertia as much as they reflect current risk. Significant sums are often spent maintaining legacy tools while emerging risk areas receive insufficient investment.

Boards should ask how security spending maps to the material risks identified in question two. If the organisation's primary risk is supply chain compromise but the majority of security spend is on perimeter controls, that misalignment is a governance issue. The CISO should be able to articulate not just what is being spent but why the allocation reflects the actual risk profile.

These five questions do not require board members to become security technologists. They require the same analytical rigour that boards apply to financial risk, operational risk, and strategic risk. Security is not a technical domain that boards must defer to — it is a business risk that boards must govern.

The CISO relationship should be structured accordingly. Security reporting should arrive in formats that enable challenge. Boards should have access to independent expert advice when evaluating what they are told. And the five questions above should be a starting point, not a ceiling.