Antares
All posts
GovernanceMarch 18, 2025·5 min read

What boards should actually ask about cybersecurity

A short list of questions that produce real answers — and the ones that don't.

Most board cybersecurity updates produce comfort, not clarity. The slides look professional, the metrics trend in the right direction, and everyone leaves the meeting feeling that the program is in hand. Then something happens, and the same board discovers it didn't actually have the picture it thought it did.

Questions that produce real answers

  • What are the top three risks we are currently accepting, and why?
  • What would have to be true for those decisions to look wrong in 12 months?
  • Where is the program behind schedule, and what is blocking it?
  • If we had a serious incident next quarter, what would we wish we had done differently?

Questions that produce noise

Questions about the count of blocked attacks, patch rates, or training completion are easy to answer and tell you almost nothing about risk. They reward activity, not judgment.

More from the blog
Leadership

The quiet cost of reactive security programs

Most programs fail not from missing tools but from missing priorities. A short note on what reactive looks like — and what to do about it.

Incident Response

Tabletops that actually work

Most tabletop exercises produce a report. Good ones produce changes.

Have a situation worth discussing?

Notes are short by design. An advisory call covers what context actually requires.

Schedule a Consultation