Three Questions Every Board Should Be Asking Their IT Team Right Now

Most boards know they should be taking cybersecurity seriously. Fewer know what that actually looks like in practice. The problem isn't a lack of interest — it's that security conversations often happen in the wrong language, at the wrong level of detail, with no clear way to measure whether the answers are any good.

Here are three questions that cut through the noise. They're not technical. They're designed to reveal whether your organisation actually has a handle on security risk — or is just hoping it does.

1. If we had a serious incident tonight, what would happen in the first two hours?

Not 'do we have an incident response plan' — most organisations will say yes to that. The question is what specifically happens. Who gets called? In what order? Who has authority to take systems offline if needed? Who communicates with clients? Who talks to regulators?

If the answer is vague, or involves several people in sequence who will then decide what to do, you don't have a functioning incident response capability. You have a document. A real plan has named individuals, pre-agreed decisions, practiced steps, and someone who owns it. That person should be able to describe it in under three minutes.

2. What are our three most significant security risks right now, and what are we doing about them?

Every organisation has a different threat profile depending on what it does, what data it holds, how it operates, and who might want to cause it harm. The answer to this question should be specific to your business — not a generic list of 'ransomware, phishing, insider threats' that could apply to anyone.

If your IT team can't identify your top three risks with reasonable confidence and explain what's being done to address them, that's an important finding. It suggests risk assessment is happening in theory but not being used to drive actual decisions about where to focus effort and investment.

3. When did we last test whether our security controls actually work?

Security controls degrade. Configurations drift. People leave and processes change. A firewall rule that was correct eighteen months ago may no longer reflect how the business operates. Backups that have never been tested may not restore when needed.

The honest answer to this question, at many organisations, is 'we haven't' or 'we're not sure'. That's not a reason to panic — it's a reason to find out. Untested controls give a false sense of security that is in some ways more dangerous than knowing you have gaps.

Why these questions matter

Boards are increasingly being held accountable for security failures — not just operationally, but legally and reputationally. The NIS2 Directive, for example, places explicit responsibility on management bodies for cybersecurity oversight. Regulators in financial services have been clear for several years that 'we delegated it to IT' is not a sufficient response after an incident.

None of this requires boards to become technical experts. It requires them to ask the right questions, in the right way, often enough that security is treated as a board-level priority rather than an IT department concern.

If you're not getting clear answers to these questions — or not confident they're being asked at all — SecCured's Virtual CISO service provides the senior security leadership to bridge that gap, with board reporting built in from day one.