Five Cybersecurity Questions Every Board Should Be Asking

cybersecurity questions in the boardroom

Written by Matt Sharp

As a Senior Technology Consultant, I have decades of experience advising mission-driven organizations on technology strategy, governance, and the effective use of digital systems. In my free time I enjoy global culture including art, food, languages and jokes. You can read more about me here.

Cyber Security

April 7, 2026

In a previous post, I explored how foundations have a distinctive cyber risk profile. Small internal teams, high external influence, relationship-driven work, and reliance on trusted partners create vulnerabilities that differ in important ways from those faced by corporations or government agencies. This reality naturally raises a practical question for leadership: How should boards and executive teams discuss cybersecurity?

Contents

Moving Beyond Technical Conversations

Too often the conversation drifts quickly into technical territory — software platforms, security tools, network diagrams, or regulatory frameworks. At that point many board members understandably disengage. They are not technologists, and they were never meant to be. Effective oversight, however, does not require technical expertise. What it requires is the ability to ask a few focused questions that illuminate risk.

Cybersecurity as a Governance Responsibility

For foundations and other mission-driven organizations, cybersecurity is not primarily an IT issue; it is a governance issue. A cyber incident can interrupt grantmaking, expose sensitive communications, damage relationships with grantees and partners, and undermine institutional credibility. In environments built on trust, those consequences matter deeply. Boards do not need to configure security systems, but they do have a responsibility to ensure that management understands the organization’s digital risks and is managing them thoughtfully. The good news is that meaningful oversight can emerge from a surprisingly small set of questions.

The Five Questions Every Board Should Ask

Instead of trying to follow every technical detail, boards can focus on a handful of strategic questions that cut directly to resilience.

  1. What are the organization’s most important digital assets?
    Every institution has information that matters most — donor records, grantmaking systems, research partnerships, financial platforms, board communications, or strategic plans. Identifying those assets helps clarify what truly requires protection.
  2. What would happen if those assets were unavailable or exposed?
    This reframes cybersecurity as a continuity issue. Would grant payments stop? Would confidential deliberations become public? Would relationships with partners be affected? The goal is to understand impact rather than technology.
  3. How are we reducing the likelihood of those scenarios?
    Management should be able to explain, in plain language, the key safeguards in place. This might include identity protection, secure backups, monitoring, staff awareness training, and vendor oversight. Boards do not need technical detail; they need clarity about whether risks are being managed responsibly.
  4. If something does go wrong, how quickly would we know?
    Speed of detection often determines how serious a cyber incident becomes. Organizations with strong monitoring and response capabilities typically contain problems faster.
  5. Who ultimately owns cybersecurity inside the organization?
    Clear accountability matters. Someone in leadership should be responsible for coordinating cybersecurity efforts and reporting regularly to executive management and the board.

These questions do not require technical fluency, yet together they provide meaningful oversight.

Keeping the Conversation at the Right Level

Many cybersecurity briefings unintentionally become product demonstrations. Discussions revolve around software platforms, new security tools, or the latest threat reports. Those may be useful operational topics, but they are rarely governance topics. Boards add the most value when they remain focused on risk, preparedness, and resilience rather than on selecting technology. When conversations stay at that level, directors can contribute their experience in strategy, risk management, and institutional stewardship.

What Good Oversight Leads To

No organization can eliminate cyber risk entirely. The objective is resilience: preventing most incidents, detecting problems quickly, and recovering effectively when disruptions occur. When boards ask thoughtful questions regularly, several positive outcomes tend to follow:

  • Cybersecurity responsibilities become clearer inside the organization
    • Leadership prioritizes protections for the most important assets
    • Incident response planning improves
    • Security investments become more aligned with institutional risk

Making Cybersecurity Part of Everyday Governance

Most importantly, cybersecurity becomes a normal part of governance rather than an occasional technical briefing.

For foundations and nonprofits, the goal is not to build a security operations center inside the organization. It is to ensure that digital risk is managed with the same care as financial stewardship. Often that begins with a board conversation that is simple, structured, and repeated over time. A few good questions — asked consistently — can significantly strengthen institutional resilience. And in philanthropy, where trust is the currency of impact, protecting that resilience is essential.

 

 

For over forty-two years, CGNET has provided state-of-the-art IT services to organizations of all sizes, across the globe. We’ve done it all, from IT and cybersecurity assessments to cloud services management to generative AI user training. Want to learn more about who we are and how we might be able to help you? If so, check out our website or send us a message!

You May Also Like…

You May Also Like…

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Translate »
Share This
Subscribe
CGNET
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.