Skip to main content
Advisory & Programmes

The board question no CISO can answer: are we doing enough

Why 'are we doing enough on cyber' is not a question, and which one is

"Are we doing enough on cyber" is not a question a CISO can answer. Not because the CISO knows too little, but because the question lacks a reference point. Enough compared to what. Enough against what. Enough measured by what. As long as the board frames the question this way, it gets an answer that is either reassuring and therefore untrue, or honest and therefore unusable. The question is flawed. The CISO's duty is not to answer it anyway, but to reframe it into something the board can weigh the same way it weighs credit risk and market risk.

Why "are we doing enough" is not a question that has an answer

The board asks in good faith. A supervisory board member asks it, a shareholder asks it, and with every news item about a ransomware incident in a comparable sector, someone asks it again. The CISO arrives at the table with a dashboard, a maturity score, a number of closed findings and a trend line pointing the right way. An hour later the board leaves the room feeling informed. Nobody can say whether enough has been done, because nobody has set a scale on which that word acquires meaning.

Compare that with the way the same board looks at credit. The CRO does not arrive at the table announcing "we are doing enough on credit risk". They arrive with an expected loss, an unexpected loss, a buffer, and an agreed risk appetite against which all those figures are set. The board does not ask questions about the colour of a dashboard. It asks questions about the range around the expected loss and about whether the buffer holds up under a scenario the board itself names. That conversation is possible because credit found its language decades ago. Cyber has not found that language yet, and so it stays stuck in tone and reassurance.

The discomfort starts with the word "enough". It implies an absolute threshold that does not exist. Risk does not disappear; it shifts and it carries a price. What the board really wants to know is whether the organisation has struck the right balance between the residual risk it accepts and what it spends to reduce that residual risk. That balance has a name: risk appetite. Without that appetite stated, "enough" is a feeling. With that appetite stated, it becomes a calculation.

Which questions the board really needs

The reframing is not a linguistic trick. It changes what the CISO brings into the room and what the board can do with it. Four questions together replace "are we doing enough".

Risk appetite. What is our risk appetite for cyber loss, in euros per year and in incident impact per event? Not a table of green, amber and red. A range with a lower bound the board rejects and an upper bound the board accepts. Without that appetite, every cyber spend lacks a benchmark.

Expected loss versus appetite. What is our current expected annual cyber loss, in the same unit, and how does it compare to the appetite? Not a single figure, but a range. A central estimate with a lower and upper bound that represents the uncertainty honestly. Expected loss below the appetite means: room to shift towards growth. Expected loss above the appetite means: a choice between more investment, more acceptance or more transfer.

Top-three scenarios. Which three scenarios hit us hardest, and what do we do before, during and after each of them? Not every scenario. The three that are most likely and most impactful in your landscape, sector and dependency chain. A ransomware outbreak that shuts down the production environment. A theft of customer data that triggers regulatory notification and disclosure. An outage of a critical supplier you are technically and contractually tied to. For each scenario: time to detect, time to recover, the first euros of damage, and who is on the phone within the first hour.

Proportionality of controls. Are our controls proportionate to our risks, and distinctive on what matters most? A control that costs you ten per cent of residual risk and one per cent of budget is cheap. A control that costs you one per cent of residual risk and ten per cent of budget is expensive. The board does not need to see every control. It should see which top five controls cover the largest share of the residual risk, and which ones fall outside that.

These four questions are not meant to corner the CISO. They are meant to put the CISO on the same side of the table as the CRO and the CFO. A conversation about cyber conducted in the same unit as a conversation about credit is a conversation in which the board can make decisions. A conversation conducted in dashboard colours is a conversation in which the board only has to nod.

Which sources underpin this reframing

The four questions do not come out of nowhere. Three international frameworks prescribe precisely this way of working. The NIST Cybersecurity Framework, in version 2.0 from 2024, defines "Govern" as its first function and places risk appetite and risk tolerance explicitly under board-level accountability. Not somewhere deep in an appendix, but as a core function alongside Identify, Protect, Detect, Respond and Recover. ISO 27005 on information security risk management describes the cycle of risk identification, analysis, evaluation and treatment, and requires the outcome to be weighed against a previously established acceptance threshold. Both frameworks assume that an organisation sets its appetite before it chooses controls, not the other way round.

The NIS2 Directive does the same, but with board-level liability underneath it. Article 20 explicitly requires the management body of an essential or important entity to approve the cybersecurity risk management measures. An approval without a considered risk appetite is a signature under a document the board cannot account for. Anyone wanting to satisfy these three frameworks at once can no longer answer the board question in its old form. The frameworks force the reframing.

In line with this, the NCSC publishes guidance for board members, emphasising demonstrable board involvement in weighing controls. Not tick-boxes under a report, but minutes that show the board made the trade-off. The same thinking as at NIST and ISO, translated into Dutch supervisory practice.

Which documents and cadence carry the conversation

The four questions do not live on their own. They need a fixed set of documents that return to the same place in every meeting. Five pieces together carry the arrangement.

Risk appetite statement. A two-to-three-page document that states, in euros and in incident impact, what the board accepts and what it does not. Reset once a year, with an explicit reconsideration whenever the strategy changes.

Cyber risk register. A register updated each quarter, with the five to eight largest risks, their expected annual loss as a range, and the choice between mitigate, accept and transfer.

Scenario set. Three to four worked-out events, with time to detect, time to recover, legal obligations, communication paths and board decision points. Reviewed once a year in a tabletop exercise with the full board, not just IT.

Controls overview. A quarterly overview showing the top five commitments of budget and capacity, linked to which risk each covers. Not a long technical list, but visible proportionality between money and risk.

Board report. A report with a fixed agenda and a fixed cadence. A short progress update each quarter, and once a year an in-depth review of appetite and register together. Minutes record decisions, not just explanations.

These five pieces do not require a new department. They require the CISO to order the work differently, and the board secretary to reserve a fixed place for it. Once they are in place, the board question shifts. Not "are we doing enough" but "does our appetite still hold, and do our controls still match it". That is a question you can answer.

What this asks of the CISO

Two movements at once. The first is technical: learning to calculate cyber risk in money. Not exactly, but with ranges that are honest about the uncertainty. Methods exist for this, and they can be learned in a few weeks. The second is governance: stopping the delivery of what the board cannot weigh. No maturity scores, no dashboard colours, no percentage of a framework. Instead an appetite, a register, scenarios, proportionate controls and a report.

Both movements ask for composure from the CISO. The temptation is strong to arrive with more figures, more detail and more reassurance. The board question only changes once the answer changes. That answer is shorter, drier and more governance-oriented than what most organisations currently put on the table. The discomfort this creates in the first or second conversation is precisely the discomfort out of which a mature risk conversation emerges. By the third time, it is the new norm.

"Are we doing enough on cyber" does not disappear as a question. But whoever asks it of a CISO who has carried the reframing through gets no reassurance back. They get an appetite, an expected loss and three scenarios. They get the material with which the board makes the trade-off itself. That is exactly what a board is there for, and exactly what a CISO has to deliver.

Advisory & Programmes

Dit vraagstuk vertalen naar jouw organisatie.