Most board cyber discussions still default to the same four questions: Are we secure? What's our spend? When was our last pen test? Are we compliant?
These were the right questions in 2015. In 2026, they're the equivalent of asking the CFO whether the books are correct. The answer is always "yes," it tells you nothing, and the things that will actually hurt the company are happening somewhere else entirely.
The board's job isn't to validate that security work is happening. It's to make sure the company can absorb the loss when something fails. That requires different questions.
Here are four we'd recommend boards put on the agenda this year.
1. "What would force us to disclose to the SEC, and how would we know?"
The 2023 SEC cyber disclosure rule (Item 1.05) requires public companies to disclose material cybersecurity incidents within four business days of determining materiality. Three years in, most boards have asked the question once, gotten a confident answer, and moved on. The question is more interesting on the second ask:
- Who in the company makes the materiality call? A controller? Legal? The CISO? A standing committee? If the answer is fuzzy, that is the answer.
- How would we know an incident has occurred in time to make that call? The four-business-day clock starts on determination, not detection. If detection is slow, the determination call gets compressed against an SEC clock that does not pause.
- What's the documented threshold? "We'd know it when we see it" is not a defensible answer in an enforcement action.
Bad sign: someone on the call says "our policy covers that."
Good sign: someone produces the actual decision tree, names the people who would meet, and tells you when they last walked through it.
2. "What's our concentration risk in third-party technology?"
The CrowdStrike outage in 2024 grounded airlines, hospitals, and emergency services. Snowflake credential reuse hit dozens of Fortune 500 brands within weeks of each other. Okta. SolarWinds. Each of these was a fourth-party event for most companies that felt the impact: a vendor's vendor, or a vendor used by 80% of a market segment.
Good board questions about third-party tech are not about your vendor list. They're about correlations:
- If our identity provider went down for 48 hours, what business processes stop?
- What percentage of our critical systems share a common single vendor underneath?
- For our top three vendors, who are their top three vendors, and have we mapped that?
Most companies cannot answer the third question. This is the gap. A vendor list is a starting point. An exposure map is the deliverable.
3. "Who owns AI risk at this company, and are they resourced?"
AI showed up in the company through SaaS, not through procurement. By the time governance arrived, marketing was using six different LLM tools, finance was running models inside spreadsheets, and engineering had quietly deployed agents that touch production data. This is the reality everywhere. The question is whether it's acknowledged.
A good board question about AI is not "do we have an AI policy." It's:
- Who is the named, accountable person for AI risk?
- Do they have actual authority over what gets deployed?
- Do they know which AI tools are currently touching customer or regulated data?
If the answer to the first is "the CIO and CISO are working on it together," the answers to the next two are usually no. This is one of the few risk areas where ambiguous ownership is itself the failure mode.
4. "If our CISO left tomorrow, what falls over?"
CISO tenure is short and getting shorter. The replacement market is tight. Most boards do real succession planning for the CEO and CFO and treat the CISO as a hire-when-needed role. The result is that critical security work, vendor relationships, and incident response capacity often live in one person's head.
The right question is operational:
- What documentation exists for the security program independent of the current CISO?
- Which vendor relationships, control owners, and IR procedures depend on this person's institutional knowledge?
- If we had to operate without them for 90 days, what degrades and how fast?
If everyone in the room is comfortable with the answer, the real answer might still be hidden.
Bottom line
If the cyber update at your next board meeting hits the same four bullets it hit at the last one (risk heatmap, recent incidents, audit status, budget), you're getting a status report, not oversight.
These four questions don't replace those updates. They sharpen them. Each one is designed to surface something the standard update format actively hides. Each one has a clear and concrete answer if the underlying program is in good shape.
If it doesn't, the questions are still useful. The discomfort that follows is the work.
If you'd like a one-pager version of these questions to bring to your next board meeting, reach out. We'll send it.
Senior security leadership. Built around your board.
If your board is asking sharper questions than your current security update can answer, that's the gap. Embed senior security leadership without the full-time executive cost. We integrate with your team, own outcomes, and build programs that outlast our engagement.
Explore Fractional CISO