Is the board asking different questions now?

This week we’re focused on…

The different kinds of questions that CISOs are being asked these days. 

Why? 

Because board-level cybersecurity questions used to be reasonably predictable. 

Things like…

Are we secure? 

Have we been breached? 

Are we compliant? 

But those questions are outdated now. Boards are still concerned about attacks – but they’re more worried about (and aware of) impact. Downtime. Recovery. Legal exposure. Reputation. And they’re thinking about personal accountability too. 

For CISOs, the language of risk has changed, and boards want to know what actually happens if their organisation isn’t secure. Security leaders are being pulled away from binary answers and towards scenarios, trade-offs, and uncertainty. And if we’re being honest, that’s uncomfortable territory – especially in front of a board that wants confidence.

As Richard Rushing (CISO at Motorola Mobility) said way back at Black Hat MEA 2022,

“Risk has to start at the top. Executives need to determine what kind of risks they need to fix, and where those risks might be. And they also need to identify their own risk tolerance: what kind of risks are accepted, and which risks have such serious implications that they are not accepted within the organisation?”

That perspective is important; because when boards ask about ransomware, cloud outages, or AI exposure, they’re often really asking: is this within our tolerance – and do we know what happens if it isn’t?

Metrics don’t land if the story doesn’t

CISOs across respond to board-level questions with maturity scores or dashboard data. The problem with this isn’t the data itself – it’s whether it actually drives decisions. 

Rushing warned that security teams often mistake reporting for communication:

“You need to have a tolerance, and it needs to be standardised. If it’s not standardised, you’re making ad-hoc decisions.”

Boards don’t need more metrics. They need to understand what the metrics they already have mean for the business story – things like brand damage, supply chain disruption, regulatory exposure, or operational downtime.

Or, in Rushing’s words: 

“Risk is about how to figure out the plot of your story.”

When the world is watching, words matter

The reality of all this becomes painfully clear during a major incident. 

Tim Brown (VP and CISO at SolarWinds) reflected on the days following the 2020 SolarWinds breach – when governments, regulators, customers, and media all wanted answers at once:

“The first days are really beyond intense. Everybody in the world is calling you. You’re getting calls from the governments of the world, you’re getting calls from agencies of the world, you’re getting calls from the largest customers in the world.”

In that environment, communication becomes a survival skill. And technical accuracy definitely isn’t enough. 

As Brown told the BHMEA audience:

“Every word matters. Make sure every bit of information you’re putting out is accurate.”

And later, reflecting on his own role:

“If I didn’t have the skills to do presentations and talk to people and take ownership of what was going on, then we would’ve had to replace me with somebody that did.”

If you’re a CISO, boards remember how you show up under pressure – not what controls you have in place before the pressure piles on.

The real challenge: translating risk, not hiding it

Boards are increasingly savvy when it comes to security and risk, and that means they don’t (usually) expect certainty anymore. 

But they do expect honesty, clarity, and judgement.

That means:

• Being clear about what is and isn’t within risk tolerance
• Explaining trade-offs without hiding behind jargon
• Framing uncertainty as managed (never ignored) 

As cybersecurity discussions move further into business, legal, and ethical territory, CISOs who can communicate risk effectively (instead of just being able to measure it) will be the ones boards trust.

The questions have changed, and the expectations have changed.

Ultimately, that means the job has changed too. Are you ready?