Most boards do not know what to ask their CISO. That is not their fault. Cybersecurity moves faster than quarterly board agendas, and the language gap between security teams and directors is real. But vague questions produce status reports that sound reassuring and tell you nothing.
I spend a lot of time around pilots. Before any flight leaves the gate, two of them work through a checklist of questions whose answers determine whether the plane goes. Boards need that same discipline with their security leaders. Five questions, asked every quarter, will tell you more about your organization’s posture than fifty pages of dashboards. These are the five.
You cannot govern what you will not ask about directly. The boards that get useful answers ask precise questions. The ones that get vague answers ask vague ones.
1. Are We Doing Better or Worse Than We Were Twelve Months Ago?
Direction matters more than snapshots. A board does not need to understand every metric on the CISO’s wall. A board does need to know whether the company is improving, holding steady, or sliding backward. This question forces the CISO to define what “better” means in plain terms.
Listen for trend data, not single point statistics. Mean time to detect, mean time to respond, phishing click rates, patch latency, and percentage of critical systems covered by EDR are all things that should move year over year. Industry frameworks such as the NIST Cybersecurity Framework can help your CISO map these metrics to board ready categories. If your CISO answers with a story about how busy the team has been, ask the question again.
2. What Is Our Biggest Unmitigated Risk, and Why Have We Not Fixed It?
Every security program has known issues that have been deferred. A CISO who claims otherwise is either new to the role or hiding something. The valuable part of this question is the second half. Why is the risk still on the books?
The answer usually comes down to one of three things. Money the CISO does not have. Authority the CISO does not have. Or politics the CISO has lost. All three are information the board needs. Boards that hear “we are working on it” without context are being managed, not informed. A useful follow up is to ask what would have to change for the risk to be retired by the next board meeting.
3. If We Had a Breach Tomorrow, Who Decides What in the First 24 Hours?
Pilots train emergency checklists in the simulator before they ever need one in the air. Most companies discover their incident response gaps during the incident itself, which is the worst possible time. This question forces a board to test whether the plan exists in writing and whether anyone has rehearsed it.
Specific things to listen for. Who declares an incident. Who notifies legal. Who decides to pull systems offline. Who calls law enforcement. Who triggers the SEC four day disclosure clock for material incidents. Who talks to the press, and who absolutely does not. If the answers are uncertain, the company does not have an incident response plan. It has a document.
A useful test: Ask the CISO when the last tabletop exercise included the board. If the answer is never, schedule one before the next quarterly meeting. Two hours in a conference room beats two days of chaos after a real event.
4. How Much of Our Security Depends on People We Do Not Employ?
This is the question most boards forget to ask. Third party risk is now the dominant attack path for most organizations. Your cloud provider, your MSP, your SaaS vendors, your contractors, and the software supply chain all sit inside your security perimeter whether you put them there formally or not.
The honest answer to this question is almost always higher than the board expects. Push for specifics. How many vendors hold sensitive data. How many have privileged access to production systems. How many had a known breach in the past 24 months. What happens if a critical vendor is offline for a week. These are not theoretical questions in 2026.
5. What Would You Do With Another Million Dollars, and What Would You Cut If We Took One Away?
This is the prioritization question. A strong CISO has a ranked list of investments the program needs and a ranked list of things that could be sacrificed under pressure. A weaker one has a wish list with no order and a panicked face when budget cuts come up.
The answers tell you whether you have a strategic security leader or a tactical operator. Both are valuable, but they belong in different roles. If your CISO cannot prioritize, you do not have a CISO. You have a security manager with a more impressive title. That is a leadership problem, not a technology problem.
Frequently Asked Questions
How often should the board meet with the CISO?
Most boards should have the CISO present at least quarterly. Higher risk industries like financial services and healthcare often benefit from monthly check ins, with full board reviews quarterly. The CISO should also have direct access to the board chair or audit committee chair between meetings when material risk changes occur.
Should the CISO report directly to the CEO?
In most modern organizations, the CISO reporting to the CEO or to the audit committee directly is the strongest structure. Reporting through the CIO creates an inherent conflict between operational uptime and security tradeoffs. SEC scrutiny and 2026 regulatory expectations have pushed many large organizations toward CEO or board reporting lines.
What is the SEC cyber disclosure rule and how does it affect boards?
The SEC cybersecurity disclosure rule requires public companies to report material cybersecurity incidents on Form 8-K within four business days of determining materiality. It also requires annual disclosure of cybersecurity risk management, strategy, and governance, including board oversight. Boards are now directly accountable for understanding and supervising cyber risk programs.
What is the difference between a CISO and a security manager?
A CISO operates at the executive level, owns enterprise risk strategy, sets budget and policy, and communicates with the board. A security manager runs operations such as the SOC, vulnerability management, and incident handling. Both roles matter, but they are not interchangeable. Calling a security manager a CISO does not give them the authority or strategic mandate the role requires.
What should boards do if the CISO answers cannot answer these questions?
If a CISO cannot answer these five questions, the issue is rarely the person. It is usually the role’s positioning. Boards should examine whether the CISO has the budget, authority, reporting line, and time to operate strategically. A capable security leader in the wrong structure will fail. A board that demands answers without giving the role real authority is not actually governing cyber risk.
CEO | Training Camp
Christopher D. Porter is a dynamic marketing executive and visionary leader, celebrated as an early adopter of internet technologies for innovative lead generation strategies. Continuing his career as the CEO of one of the leading IT and Cybersecurity Certification Training companies, he has consistently harnessed digital innovation to drive business growth and market transformation.