Things I wish boards would actually ask

Twelve questions that would tell you more than any maturity score. None of them mention zero-trust.

A board chair asked me last month what they should be asking the CISO. I gave them the usual answer — risks, controls, residual exposure, the shape of the third-party tail — and they went away looking competent.

Then I sat on the train home and thought about it properly. The honest answer is shorter, blunter, and almost never on the board pack.

These are the questions I wish boards would ask, in the order I'd ask them. They don't replace a maturity model. They tell you whether the people running the maturity model are awake.

The twelve

1. When was the last time we restored from backups, properly, end to end?

Not when did we test a backup. When did we restore something a department actually relied on, in conditions it actually runs in. If the answer is "we haven't, but the backups complete cleanly," your backups are theoretical.

2. Who carries the pager this weekend?

By name. Not "the SOC." Not "managed services." A human, with a phone, and a rota that says who relieves them on Monday morning. If nobody can answer this in the room, the pager isn't being carried.

3. What did we miss last quarter?

Not what did we catch. What did we miss. The honest CISO has an answer; the polished one will deflect to "we have multiple layers of defence." Press until you get a specific. If there isn't one, either we are very lucky or we aren't looking.

4. Show me a screenshot of an alert from this morning.

Not a slide that explains how alerts work. An actual one, from today, on the analyst's actual screen. If that takes more than five minutes to produce, the operating tempo of the function is slower than the threat.

5. What is the worst thing we know about ourselves?

Every security function knows one or two things that are quietly terrible. Maybe the AD forest still has Windows 2008 servers nobody dares touch. Maybe the password reset process for finance is, in practice, "phone the helpdesk and confidently use a name." Maybe we have credentials in source code we keep meaning to rotate. Find out which.

6. Who can deploy to production, today, without a code review?

The answer is rarely zero. The answer is rarely small. The answer matters more than any control framework asks about.

The harder six

7. If we lost the CISO tomorrow, how would we know what they knew?

Most security knowledge in most organisations is in one person's head and one person's saved searches. Treat this as a continuity question, because it is one.

8. Where do we send invoices to a vendor we have never met?

Roughly. To one address? To one person? Through one bank account? The answer maps directly onto where your fraud blast radius is. It also maps onto how much your finance team is being paid to be a perimeter control.

9. When did we last say no to a project on security grounds, and what happened?

If we have never said no, we are not a security function — we are a help desk for compliance theatre. If we said no and the project happened anyway, we have learned where the actual decision boundary sits, which is useful.

10. What is the one thing the regulator would learn in fifteen minutes that we wouldn't want them to?

Everybody has an answer. The exercise of asking it out loud changes how the function operates the next quarter. Try it.

The board's job is not to know the answer to every question.

It is to ask the questions that make sure someone in the building does.

11. Are we paying our security people enough to leave us at the wrong time?

The market for the senior end of this profession has not slowed down. If your retention strategy is "the work is interesting," you are about to learn it was also interesting to the person hiring them away.

12. What part of last year's plan didn't happen, and why?

This is the one I find most useful, because it tells you whether the function is realistic about itself. A function that delivered 100% of last year's plan was either too unambitious or is gently lying to you. A function that delivered 60% and can tell you, item by item, why the other 40% didn't happen is a function that knows what it is doing.

The point

None of these will appear in a maturity model. None of them feature on a vendor's slide. They are the questions a curious chair would ask if they decided to spend an afternoon actually understanding what they had bought.

A board's job is not to know the answer to every question. It is to ask the questions that make sure someone in the building does. The list above is a useful start. The rest is the unglamorous business of paying attention.

If your CISO is annoyed by any of these questions, that is also information.