It arrives in different forms. "Are we secure?" "How exposed are we?" "Should I be worried?" The words vary, but the question is always the same. And most CISOs, even experienced ones, feel the floor shift when they hear it.
Not because the question is unfair. Because the way it's usually answered makes things worse for everyone in the room.
The question isn't unanswerable. But it requires a different approach than most security leaders take. This is what that approach looks like.
What the board is actually asking
When a board member asks "Are we secure?" they're searching for a binary. Yes or no. Safe or not safe. The framing is understandable. They're not security practitioners. They don't think in terms of risk tolerance, threat actors, or control coverage. They think in terms of the business.
In reality, security isn't a yes or no question. Let's frame it another way. How would you answer the question "How much security is enough?" This question reveals a lot about the mindset of the person asking the question. When asked that question, I respond with "just enough."
That's the key insight. The underlying concern behind every version of this question is the same: is something going to happen that hurts the company? Revenue, reputation, continuity, regulatory standing. The board member is asking about business risk. They're just using the only vocabulary available to them.
Most CISOs miss this. They hear a security question and answer a security question. They talk about controls and frameworks and maturity scores. The board nods, understands nothing, and leaves with the same anxiety they walked in with. That's a failure of translation, not of security.
The board isn't asking about your firewall. They're asking about the business. Answer accordingly.
The mistake most CISOs make
The most common mistake is answering without first understanding what the person actually means when they say "secure."
A CISO who lumps everything into one answer, we have endpoint protection, we passed our SOC 2, we do phishing simulations, is giving a technically accurate response that communicates nothing useful. It treats the entire organization as a single security unit with a single risk posture. No organization works that way. The risk facing the engineering team is different from the risk facing finance, which is different from the risk facing legal or HR.
The one-bucket answer also skips past the question the board member was actually asking. Different people ask "Are we secure?" for different reasons. The CFO asking it after reading about a ransomware attack on a competitor has a different concern than the audit committee chair asking it before a compliance review. Answering without understanding the intent means you're almost certainly answering the wrong version of the question.
If you haven't asked what they mean by "secure," you haven't answered the question. You've just talked.
The first thing to do: ask what they mean
Before you answer, ask one question: "What do you perceive secure to mean?"
This isn't deflection. It's the most important question in the room. The answer tells you exactly what the board member is worried about and what they need to hear.
Some will say: can we get breached? Some will say: are we doing everything we should be? Some will say: how do we compare to others in the industry? Each of those is a different conversation. Each one has a real answer. The clarifying question lets you give it.
In practice, this move also signals something important to the board: that you think carefully before you speak, that you don't treat security as a monolith, and that you're focused on what they actually need to know rather than what's easiest to say. That signal is valuable in itself.
The answer isn't one number. It's a map.
Once you understand the intent behind the question, the answer isn't a single statement. It's a structured walk through the organization.
My approach is to break the enterprise into functional segments: finance, engineering, legal, HR, marketing and sales. Every organization is structured differently, so the segments will vary, but the framework is consistent. For each area, you address three things: what risks have been identified, what steps have been taken to reduce them, and where material risk remains.
This gives the board something a binary answer never can: a map of where the organization stands. They can see which areas are well-managed, which are in progress, and which carry risks that haven't been fully addressed. They can ask intelligent follow-up questions. They can connect security posture to the parts of the business they know best.
It also changes the vocabulary of the conversation from controls to risk, which is the right vocabulary for a board discussion. The board doesn't need to know how your EDR platform works. They need to know whether the risks that could hurt the business are understood and being managed.
Break the organization into segments. Walk through each one. The board needs a map, not a verdict.
When the honest answer for a segment is: not well
This will happen. Some functional areas will have unaddressed or unaccepted risk. Maybe a legacy system in finance hasn't been patched because the remediation requires a long change control process. Maybe a key HR platform doesn't support MFA. Maybe a third-party marketing vendor has broader data access than it should.
The right move is to say so directly. Tell the board that this segment carries an unaddressed risk, describe what it is in business terms, and give them the options for how to treat it: accept it, mitigate it, transfer it through insurance or contract, or avoid it by changing how the business operates.
This is not failure. This is exactly the conversation a board should be having with their security leadership. A risk that is named, understood, and presented with options is a managed risk. A risk that is hidden behind a comfortable answer is a liability. The board will trust you more for surfacing it than for papering over it.
CISOs who fear this conversation usually fear it because they haven't framed it correctly. The frame isn't "we have a problem." The frame is "here is a decision the business needs to make." That's a different conversation entirely.
An unaddressed risk presented with options is a business decision. A hidden risk is a liability. Give the board the decision.
What good looks like
When this question is answered well, the board doesn't leave with a yes or a no. They leave with a picture of the organization's risk posture: which areas are covered, which are being worked on, and which involve decisions that belong at the board level.
Over time, something else changes too. The board gets better at asking questions. Instead of "Are we secure?" you start hearing "How is the finance team's exposure looking?" or "What's the status on the vendor risk issue from last quarter?" Those are questions a CISO can answer precisely. That shift in the quality of the conversation is a sign that the relationship is working.
The CISOs who dread this question are usually the ones who haven't changed the framing. The question itself isn't the problem. It's a board doing what boards are supposed to do: asking about risk to the business. The answer just requires a different structure than most security leaders have been taught to give.
The goal isn't to survive the question. It's to change the quality of the questions that come after it.
If you're working through this
If you're a CISO preparing for this conversation, or a leadership team trying to get more useful security reporting out of your board interactions, the framework above is a starting point. The specifics, which segments to use, how to present unaddressed risks, how to calibrate the level of detail for your particular board, depend on the organization.
If you want a second set of eyes on how to structure this for your situation, I'm happy to work through it with you.