'Are we secure?' is the wrong question. It always was. It is now actively dangerous.
The right board-level cyber question in 2026 is operational: what happens to revenue, regulatory standing, and customer trust on the day we get hit — and how quickly do we recover.
Why the Old Question Fails
'Are we secure' implies a binary state, invites a reassuring answer, and produces governance theatre. CISOs cannot honestly answer yes; boards cannot productively act on no. The conversation gets recycled in every audit committee.
Worse, the question optimises the function for prevention at the expense of resilience. Prevention spend is essential and not sufficient. The 2026 threat profile — ransomware-as-a-service, supply chain attacks, AI-enabled phishing at scale — assumes successful compromise. Strategy has to plan for it.
The Operational Resilience Question
The question to ask instead is structurally different: 'If our three most material systems went dark on Monday morning, what is the operating, regulatory, and revenue impact by Friday — and what gets us back faster than that?' This question is uncomfortable because it forces specificity. It names the systems. It demands a number. It puts the board on the line for the recovery model, not just the security spend.
It also reveals where the work actually sits. In most organisations, the answer is not 'better prevention' — it is 'better continuity'. Backup integrity, runbook freshness, manual workarounds, third-party communication protocols, board crisis-decision authority.
What Good Looks Like at Board Level
A board that has done this work has three things on file: a tested impact map of the top five operational dependencies; a documented recovery-time and recovery-point objective for each, with the gap to actual capability quantified; and a crisis decision protocol that has been exercised, not just written.
None of that requires the board to become technical. It requires the board to ask different questions. The CISO benefits too — the conversation moves from 'is your budget enough' to 'is your authority enough', which is usually the real constraint.
What to do next
- Replace 'are we secure' with the impact-by-Friday question at every audit committee
- Map the top five operational dependencies and document the RTO/RPO gap
- Exercise the crisis decision protocol annually, with the board in the room
- Move budget conversations downstream from authority conversations
This is the kind of problem we work on. If you are running an audit committee cyber conversation that is not yet producing operational decisions, the team at Grant & Graham would be pleased to talk. We provide board-level cyber resilience advisory and crisis-preparedness exercises to boards, audit committees, and executive teams in regulated and operationally complex sectors. Contact us.
