The Question That Puts You on Trial

Dear CISO,

There is a question that will find you sooner or later. In a board meeting, across a dinner table with your CEO, or in the corridor after a risk committee. It will be delivered with the casual confidence of someone who has no idea what they are asking. And the moment it lands, something in you will tighten.

How secure are we?

Four words. And in those four words sits one of the loneliest moments in your professional life.

Because you know the answer. You know it better than anyone in that room. And the very fact that you know it is precisely why you cannot say it.

The person asking that question; your CEO, a NED, perhaps your Chair believes they are asking a reasonable thing. They have approved a budget. They have sat through presentations. They have nodded at dashboards. They feel they are engaged. What they want from you, in that moment, is quiet confirmation that the investment has bought them safety.

What they are actually asking is this: tell me I don't need to worry about this.

And that is a completely different question. One that has nothing to do with security and everything to do with comfort.

Here is the part that rarely gets said out loud.

The reason this question is so dangerous is not because you lack the answer. It is because the organisation has never built the conditions in which the honest answer is safe to give.

Think about what happens in the two most likely scenarios.

If you answer with confidence, like “we are in a strong position, our controls are mature, our risk exposure is within appetite” you have just created a paper trail. You have put your name to an assurance that you know is conditional, time-bound and riddled with caveats you didn't have time to say. And when something goes wrong, and something eventually will, that confident answer will be retrieved and read back to you in a very different room.

If you answer honestly, like “we are managing known risks reasonably well, but our third-party exposure concerns me, our legacy infrastructure carries risk we haven't been able to remediate, and I cannot tell you that a determined adversary wouldn't find a way through” you have done several things at once. You have alarmed the room. You may have triggered a regulatory disclosure conversation. You have handed ammunition to anyone who wants to question whether the security investment is working. And you have almost certainly ensured that the next hour of that meeting is spent on your answer rather than the agenda.

So you do what most CISOs do. You find the middle. You say something that is technically accurate, carefully qualified, and strategically incomplete. You answer the question they wanted to ask rather than the one that needed asking.

And then you drive home carrying the weight of what you didn't say.

That is not a failure of courage. That is what it looks like when an individual absorbs institutional dysfunction so that the organisation doesn't have to confront it. You are not the problem here. But you may be the person best placed to change it.

There is no perfect answer to how secure are we and you should be deeply suspicious of anyone who tells you there is. But there are different ways to approach the conditions around the question, and each carries its own trade-offs.

Rather than waiting to be put on trial, you work upstream. You invest in helping your board and CEO develop a more sophisticated question, one they own, not one they fire at you. This means building a different kind of conversation over time, not in the crisis of the moment. It means introducing the concept of risk appetite as a board decision rather than a CISO recommendation. It means the board eventually asks not how secure we are but are we operating within the risk appetite we have set? - a question you can actually answer with honesty and precision. This takes patience. It takes political capital. And it requires a CEO who is willing to be a genuine partner rather than an occasional inquisitor. Not every organisation is ready for it. But where it works, it transforms the relationship entirely.

Not defensively, and not as a deflection, but as an honest reframing in the moment. Something close to: that depends on what level of residual risk the board is comfortable carrying, and I'd like us to agree on that together. What this does is return the question to its rightful owners. Security is not a state the CISO delivers. It is a risk position the organisation chooses. By naming that, you shift from defendant to advisor, which is where you should be. This will feel uncomfortable the first time. It may land badly with a board that expected a simple answer. But it is the most honest professional thing you can do, and over time it builds a far more durable relationship than reassurance ever could.

Most boards ask how secure are we because they have no other language available to them. They are reaching for a feeling of control and the question is the only instrument they have. The deeper opportunity is to replace that instrument entirely, not with a better dashboard or a more sophisticated metric, but with a shared understanding of consequence.

This means shifting the conversation from the state of your defences to the impact of plausible scenarios. Not are our controls green but if our payment processing was unavailable for 72 hours, here is what that means for the business, for our customers, and for our regulatory standing, and here is what we are doing to reduce the likelihood and the impact of that. Consequence-led conversations do something that security metrics never can. They give the board something concrete to weigh, which is the only basis on which they can genuinely exercise judgement rather than simply defer to you.

The risk of this approach is worth naming honestly. Once you open a consequence-led conversation, you may surface appetite for risk reduction that the business cannot afford to act on. You may also find that some members of your board engage with this framing far more readily than others, which creates its own political complexity. But a board that understands consequence is a board that can share the weight you are currently carrying alone. That is worth the discomfort of getting there.

You will be asked this question again. Probably soon. And the instinct will be, as it always is, to find the answer that protects everyone in the room including yourself.

I would gently encourage you to resist that instinct, not recklessly, but deliberately.

The most important thing you can do with this question is not answer it better. It is to use it as the beginning of a longer conversation about what the organisation actually wants from you. Assurance, or honesty. Because those are not always the same thing, and the gap between them is where most of the real risk lives.

You don't have to resolve that tension today. But you might consider naming it, quietly, carefully, and to the right person, before the question finds you again.

You carry a great deal that the room doesn't see. That is not lost on me.

Until next month.

Gerrad