The Question Your Board
Will Ask This Year —
And Why Most CISOs Can’t Answer It

Last month I sat in a board meeting for a manufacturing company in the Hudson Valley—privately held, about 340 employees, two production facilities, and a growing concern that their cybersecurity posture was not keeping pace with the contracts they were bidding on. The board chair looked at the IT director and asked a version of the question every board eventually asks: “Are we secure?”

The IT director paused. He knew the honest answer. He also knew the honest answer would create follow-up questions he wasn’t prepared for. So he defaulted to what most technical leaders default to: a summary of recent tool purchases, a mention of the firewall upgrade, and a reassurance that “we’re in pretty good shape.” The board nodded. The conversation moved on. And nothing about the company’s actual risk posture changed.

This is the most common governance failure in mid-market companies. Not that the board doesn’t ask. They do. Not that the technical team doesn’t care. They do. The failure is that the question is framed in binary terms—secure or not secure—and the answer is delivered in technical terms that don’t map to business decisions. The board walks away reassured. The IT team walks away relieved. And the actual risk conversation never happens.

Security is not a binary state. It never has been. Every organization operates with some level of accepted risk—the question is whether that acceptance is deliberate and informed, or accidental and invisible. When a board asks “are we secure?” they are asking for a yes or a no. Neither answer is accurate. Yes is false confidence. No creates panic without direction. Both outcomes are governance failures.

The manufacturing company I mentioned had invested meaningfully in security over the prior two years. Next-gen firewall. Endpoint detection and response. Phishing awareness training. Multi-factor authentication for VPN. These are real controls, and they matter. But when I asked whether they had tested their incident response plan, the answer was no. When I asked whether they had a current inventory of their internet-facing assets, the answer was “mostly.” When I asked who would make the call to shut down production systems during a ransomware event, there was silence.

The gap between “we bought security tools” and “we have a defensible security program” is where most mid-market organizations live. The tools are necessary. They are not sufficient. And the board, if they are only hearing about tools, cannot govern the risk.

The board does not need a technical briefing. They need a risk briefing. The distinction matters. A technical briefing tells them what products are deployed and what projects are underway. A risk briefing tells them what could go wrong, how likely it is, what the business impact would be, and what the organization is doing to manage it to an acceptable level.

Here’s what a useful board-level cybersecurity conversation covers in 15 minutes:

None of this requires a CISO. It requires someone who can assess the organization’s risk posture, translate it into business terms, and present it with enough specificity that the board can make decisions. That person might be a full-time hire. For a 200-person company spending $800K a year on IT, it probably isn’t—the math doesn’t justify a $250K executive salary for what amounts to 8 to 12 hours of strategic work per month.

A regional healthcare practice—four locations, about 180 employees—learned this the hard way. They had reasonable technical controls. What they didn’t have was a tested incident response plan, a current vendor risk assessment, or anyone who had walked the board through their regulatory exposure under HIPAA. When ransomware hit, the technical team contained the encryption within hours. The recovery took eleven days. The OCR investigation took nine months. The settlement was six figures. The board’s first question afterward: “Why didn’t anyone tell us we were exposed?”

Someone had. The IT manager had flagged the need for backup testing and incident response planning in two consecutive budget requests. Both were deferred in favor of other priorities. The board made a rational decision based on the information they had. The problem was that the information was presented as a technical project request, not as a business risk requiring a governance decision. Different framing, different outcome.

Contract risk is another accelerating driver. The manufacturing company I mentioned is seeing cybersecurity requirements appear in prime contractor flow-downs, customer questionnaires, and insurance renewals with increasing specificity. Two RFP responses in the prior quarter had required a documented cybersecurity program with board oversight. They were able to check the box based on their existing controls. But the follow-up audit provisions in those contracts meant that a paper-thin answer would eventually be tested. The exposure isn’t just regulatory—it’s commercial.

The path from “we have tools” to “we have a program the board can govern” is not as long as most organizations assume. It does not require a massive technology investment. It requires structure, accountability, and a commitment to treating cybersecurity as a business risk rather than a technical project.

The manufacturing company started with a NIST CSF assessment. It took two weeks. The output was a current-state maturity score across all six functions (Govern, Identify, Protect, Detect, Respond, Recover), a prioritized gap list, and a 12-month roadmap that the board could track against. The first board presentation took 20 minutes and covered more decision-useful ground than three years of prior ad-hoc updates combined.

Six months later, they had completed a tabletop exercise that revealed their backup restoration process had never been tested end-to-end—and didn’t work as designed. They fixed it. That single finding, surfaced through a half-day exercise, was worth more than any product they had purchased in the prior two years.

The goal is not to make “are we secure?” go away. It’s to replace it with better questions. When a board starts asking “what are our top three risks and how are we trending?” instead of “are we secure?”—you have governance. When they ask “when did we last test our incident response?” instead of “do we have a firewall?”—you have oversight. When they ask “what would a ransomware event cost us in downtime, and is our insurance adequate?”—you have a board that can actually make decisions about cyber risk.

Getting there requires someone in the room who can bridge the gap between technical reality and business decision-making. For organizations with 150 to 500 employees, that bridge is the most valuable security investment available. Not another tool. Not another compliance checkbox. A person—internal or external—who can look the board in the eye and give them the answer they actually need: “Here’s where we stand. Here’s what concerns me. Here’s what I recommend. And here’s what it will take.”

The manufacturing company’s board chair told me something after that first structured risk briefing that stuck: “I’ve been asking about cybersecurity for three years. This is the first time I understood the answer.” That’s the gap. It’s not technical. It’s translational. And closing it is the single highest-leverage thing a mid-market organization can do for its security posture this year.