Skip to content
← InsightsBoard & Director Insight

The questions a board should be asking about cyber risk

April 28, 2026 · TranSec Advisory

A board does not need to understand the internals of its organization's security program. It needs to know whether the program is sound, whether the risks are understood, and whether management can be trusted to make good decisions about them. That judgment is reachable through a handful of questions — provided they are asked plainly and answered without retreat into jargon.

What are our most serious cyber risks, in business terms? A capable team can name them in language a director understands: what could harm the company, how badly, and how likely. If the answer arrives as a list of technical findings rather than business consequences, the work of translating risk into decisions has not yet been done.

Which of these risks have we decided to accept? Every organization carries risk it has chosen not to eliminate. That is normal and often correct. What matters is whether the acceptance was deliberate and recorded, or whether it simply happened. A board should be able to see the decisions, not infer them.

How would we know if something were seriously wrong? Detection is where confidence is tested. The question is not whether the organization has tools, but whether it would recognize a significant event in time to act — and who would be told, and how quickly.

What happens on the worst day? A sound answer describes decisions already made: what must keep running, what an acceptable recovery looks like, and who has the authority to act under pressure. An unconvincing answer describes tools and hopes.

Are we telling you the whole picture? This question is uncomfortable, which is why it is useful. Directors are entitled to assurance that what they hear is complete — and management benefits from being asked, because it sets the expectation that candor is the standard.

The value of these questions is not in the words but in the quality of the answers they provoke. Clear, specific, business-grounded responses are themselves evidence of a program that is being led rather than merely operated. Evasive or overly technical answers are evidence of the opposite, regardless of how much has been spent.

A board's role in cybersecurity is not to manage it. It is to assure itself that the organization's risk is understood, governed, and reducing — and to ask, persistently and without apology, until it is satisfied that it is.

Cybersecurity is an executive decision. We can help you make it.

Conversations are confidential and carry no obligation.

Start a Conversation