What a Board Member Should Actually Ask Their CISO

Columbia Law School research found that boards without cybersecurity expertise engage in symbolic oversight rather than substantive governance. The SEC's cybersecurity disclosure rules have made the distinction consequential: the quality of board oversight is now a disclosed fact, and the gap between symbolic and substantive is increasingly visible to investors, regulators, and plaintiff attorneys.

The problem is not that board members are incurious or inattentive. It is that most boards do not have a framework for asking the right questions. The CISO presents slides. The board nods. The audit committee signs off. Everyone leaves feeling like oversight happened.

It often did not.

The following eight questions are designed to change that dynamic. They do not require technical expertise to ask. They do require honest answers to be satisfying. A CISO running a genuine security program can answer all of them with specifics. A security theater program will struggle with most of them.

The Eight Questions

Question 1

"What percentage of our current external attack surface has been tested against a real attack scenario in the last 30 days?"

This is the foundational question. It does not ask about compliance. It does not ask about policy. It asks about actual validated coverage of the environment that exists today. A company that pen tests annually covers a small fraction of its operational window. If the answer is not "most of it" with a number attached, the coverage gap is real.

Question 2

"If our VPN credentials were compromised tonight, what is the blast radius?"

This question asks the CISO to reason about a concrete, realistic scenario — not a theoretical worst case, not a compliance checklist. It surfaces whether the organization has mapped its lateral movement exposure, and whether that mapping reflects the current environment rather than a historical one. The answer should include specific systems, specific data, and a specific remediation status.

Question 3

"How long would it take us to determine whether a cybersecurity incident is material?"

Under SEC rules, the four-day disclosure clock starts when materiality is determined, not when the incident occurs. Organizations without a tested materiality framework will spend days just answering this question under pressure. The CISO should be able to describe the specific process — who is involved, what the decision criteria are, what the escalation path looks like — not just confirm that a process exists.

Question 4

"When did we last simulate an adversary gaining access through a third-party vendor?"

Supply chain attacks — SolarWinds, MOVEit, Okta — have repeatedly demonstrated that an organization's security posture is only as strong as its weakest vendor integration. Most pen tests do not include third-party attack paths because they are out of scope. Real adversaries do not respect scope boundaries. The board should know when this was last tested, and what was found.

Question 5

"What critical vulnerabilities have been validated as exploitable in our environment in the last quarter?"

There is an important distinction between vulnerabilities that exist and vulnerabilities that are exploitable in a specific environment. A CVE may be present in a system but not reachable due to network segmentation. Or it may be reachable and easily chained to a privilege escalation. The board should be hearing about the exploitable ones — validated by real attack simulation, not by scanner output.

Question 6

"If we were being investigated by the SEC for a cyber disclosure, what documentation would we produce to demonstrate our board oversight process?"

This question is direct and occasionally uncomfortable, which is exactly why it is useful. The SEC expects specific, verifiable oversight processes described in Form 10-K filings. If the board cannot articulate what documentation exists — meeting minutes, briefing records, challenge questions on the record — the disclosure may be claiming oversight that does not fully exist.

Question 7

"What is our current detection time if a nation-state actor establishes persistence in our environment?"

The average dwell time — the period between an attacker establishing access and an organization detecting it — has historically been measured in months. Nation-state actors targeting specific organizations for intelligence purposes may maintain persistence for years without detection. The CISO should have a view on detection capability that is based on tested scenarios, not theoretical SLA targets.

Question 8

"What would our security posture look like to an adversary mapping our environment right now?"

This question asks the CISO to adopt the attacker's perspective — to describe the organization not as its security policy defines it, but as an external adversary with reconnaissance tools would see it. The answer requires continuous external attack surface awareness. If the CISO's answer describes the environment as it was during the last pen test, the adversary's current view is more current than the board's.

The goal of board cybersecurity oversight is not to demonstrate that a process exists. It is to develop genuine confidence that the organization's security posture is understood, tested, and improving. These eight questions are a starting point for making that confidence real rather than assumed.