Skip to content

The board asks, 'Are we secure?' How should a CISO answer?

Short answer

'Secure' is not binary; a CISO communicates in business-risk language: the most material risks, how current controls reduce them relative to the board's risk appetite, planned investments, and the residual risk being accepted. An absolute 'yes' is false assurance that collapses the moment an incident happens. 'No, we'll never be secure' is technically true but unhelpful and signals no command of the problem. A shopping list of firewalls and tools conveys spending, not risk or outcomes the board can actually govern.

A board asking "Are we secure?" is really asking "Are we managing cyber risk responsibly, and should we be worried?" The question tests whether a CISO can translate technical reality into governance language the board can act on.

Why framing it as risk is correct

Security is not a state you arrive at; it is a continuous process of reducing risk to a level leadership has agreed to accept. The strong answer names the top material risks (e.g., ransomware to operations, third-party exposure, data-loss of regulated PII), states the current posture against each, compares that to the board's risk appetite, identifies where investment is going, and is explicit about the residual risk the business is accepting. That gives the board something to govern: they can fund, defer, or accept with their eyes open.

Why the distractors fail

  • "Yes, we're fully secure." This is false assurance. No organization is fully secure, and the claim destroys your credibility the day an incident occurs — the board will remember you said it.
  • "No, we'll never be secure." Technically defensible but useless. It offers no direction, no priorities, and signals that you don't have command of the risk picture.
  • A list of firewalls and tools. This confuses inputs with outcomes. Spending on products tells the board nothing about whether risk is going down or whether the money was well spent. Boards govern risk and outcomes, not procurement.

What the interviewer is probing

They want to see that you understand the CISO is a business-risk officer, not a head of IT plumbing. The hallmark of a weak candidate is reaching for reassurance ("yes") or for a technical inventory — both feel like answers but neither equips the board to make a decision. Maturity shows in connecting controls to risk, risk to appetite, and appetite to investment, while staying honest about what remains unaddressed.

Likely follow-ups

  • How would you express the organization's risk appetite to a non-technical board?
  • What single metric would you put on the first slide of a board security update, and why?
  • How do you avoid giving the board false assurance while still sounding credible?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.