Four Smart Questions for Boards Overseeing Cybersecurity

What is the Supervisory Board’s Responsibility in Cybersecurity?

Cybersecurity has become one of the core areas of business risk for corporate boards. Often, there is a gap between the board’s level of understanding and the deeper technical insight of information security leaders, which can hinder effective oversight. In an article published by The Wall Street Journal titled “Four Smart Questions for Boards Overseeing Cybersecurity” (Allison Prang, December 19, 2024), four key questions were highlighted that board members should ask their leadership teams about cybersecurity. Below, we summarize those questions and share RiskSight’s perspective on why they matter and how to apply them in practice.

1. Does leadership agree on the top cybersecurity risks?

Purpose: It is essential that senior leadership and security leaders share a common understanding of the organization’s top cyber risks. Without alignment, resource allocation and prioritization may be ineffective. This question helps reveal whether the prioritization of risks matches the company’s strategic objectives.

RiskSight’s perspective: Our experience shows that different departments often emphasize different risk areas. For instance, IT teams tend to focus on technical threats, while board members prioritize business continuity and reputational risk. The key is to combine these perspectives into one unified risk picture. Strategic tabletop exercises are a highly effective tool for doing this, allowing participants to work through realistic scenarios and discuss which risks have the most significant business impact.

Next steps: For example, a company might debate whether to prioritize ransomware prevention or supply chain risk management. Both are important, but the board must decide which has greater likelihood and business impact. RiskSight’s strategic tabletop exercises place leaders in simulated conditions where resources are limited, forcing decisions about which issue gets attention first and why. Such simulations help boards understand how prioritization works in real situations and how to justify decisions strategically.

2. What is the company culture related to cybersecurity?

Purpose: Cybersecurity cannot be viewed solely as a technical discipline; it must be embedded in organizational culture. This question helps the board understand how awareness and secure behavior are being encouraged across departments and levels.

RiskSight’s perspective: Culture often matters more than controls. If employees do not feel comfortable reporting incidents or if information is withheld, the organization becomes more vulnerable. Our experience with training programs and simulations shows that a positive and open security culture significantly increases response readiness and reduces the risk of underreporting.

Next steps: Boards should regularly ask how employee awareness is being measured and improved. For instance, internal phishing campaigns can reveal how well employees recognize threats. RiskSight offers training programs where staff can practice identifying attacks in realistic environments. Anonymous surveys can also be used to gauge whether employees feel management supports secure behavior or punishes mistakes. Interestingly, a rising number of reported incidents can actually be a good sign, showing that employees feel empowered to share information, ultimately increasing the organization’s resilience and response speed.

3. What is the plan for communicating with regulators and shareholders about cyberattacks?

Purpose: The regulatory landscape is becoming increasingly strict. For example, the EU’s NIS2 Directive requires timely and transparent incident reporting. This question helps the board ensure that the company has a clear communication strategy for regulators, customers and investors.

RiskSight’s perspective: In our view, having a solid communication plan is just as important as having an incident response plan. Beyond regulatory fines and reputational damage, transparency is key to maintaining trust. In strategic exercises, we often see that poorly thought-out communication deepens a crisis – for instance, when early statements later prove inaccurate. A well-prepared communication plan helps prevent panic and preserve credibility.

Next steps: Boards should ask whether the company has a designated spokesperson responsible for crisis communications. Are there pre-approved message templates for different scenarios such as notifying customers of a data breach or updating investors about financial impact? RiskSight’s training programs include communication simulations where executives can safely practice responding to sudden media inquiries or regulatory demands. These exercises test the organization’s ability to respond quickly and coherently under pressure.

4. What would you do with more money?

Purpose: This question encourages the CISO to think creatively and beyond the current budget limitations. It helps the board understand which important initiatives have been delayed due to lack of funding and what priorities would emerge if additional resources were available.

RiskSight’s perspective: In our experience, these “wish list” discussions often reveal the most critical gaps, whether it’s implementing a new threat detection tool, improving backup capabilities or expanding employee training programs. This question helps boards uncover hidden risks and evaluate whether some areas need faster action.

Next steps: If, for example, the CISO says that additional funding would go toward continuous employee training, it signals to the board that the human factor is the biggest risk area. If the focus is on investing in new technology, the board should assess how that aligns with the company’s overall strategy. RiskSight recommends that boards hold “what-if” workshops to explore different budget increase scenarios. These sessions help leaders understand which investments deliver the highest return and greatest resilience.