Most board cyber discussions still revolve around the wrong questions. Directors get a 40-slide deck filled with maturity scores, threat-actor names, and a heatmap that has been mostly red for three years. They leave the meeting with the same uncomfortable feeling they came in with: that the team is working hard, but they cannot tell whether the organization is actually getting safer.
The questions below are the ones we coach boards to ask. They are short. They are answerable. And they put the executive team on the spot in the way good governance should.
1. What is the worst day this organization could have, and how close are we to it?
Boards do not need a risk register. They need to know the top one to three scenarios that would materially change the business, and what specifically has changed in the last quarter to make those scenarios more or less likely.
The right answer names a scenario, names a control or capability that has improved or degraded, and quantifies the change. Anything more abstract than that should make the board uncomfortable.
2. Where are we relying on a single person, a single tool, or a single supplier?
Concentration risk is the single most underappreciated cyber risk in most organizations. A single SaaS provider hosting the customer database. A single engineer who knows how to rebuild a critical service. A single MSP holding privileged access to half the cloud estate.
Boards should ask this question every quarter. The answer should be specific, written down, and trending in the right direction.
3. What did we change in production last week, and who reviewed it?
Modern breaches do not usually start with a sophisticated attacker. They start with a misconfiguration that nobody reviewed. A board does not need to read every change ticket — but it should be confident the engineering organization has a working change-review discipline, and that exceptions are visible.
4. If the worst happened tonight, who is in the room at 2 a.m. — and have they actually done this before?
Incident response readiness is built in tabletop exercises and real incidents, not policy documents. The board should ask when the most recent realistic tabletop was run, who was in it, and what changed as a result.
If the most recent exercise was the annual one, the answer is wrong.
5. How do we know our awareness program is working?
Most awareness programs report on training completion. That is the wrong metric. The board should ask for behavior metrics — phishing-click rate, report rate, the time-to-report for suspected incidents — and how those trends compare to the last four quarters.
If awareness reporting cannot speak in behavior terms, the program is not yet doing what it claims to do.
The discipline behind the questions
Each of these questions is designed to be answerable in two minutes by a competent CISO. None of them require technical knowledge to ask. All of them surface the kind of executive thinking that separates organizations that get safer from organizations that just report on safety.
If the team cannot answer in two minutes, that is the finding. The question becomes the action item.