What Boards Are Actually Asking the CISO in 2026

After more than 150 executive tabletop exercises and direct advisory work with boards across financial services, healthcare, energy, manufacturing, and government, the questions boards are asking the CISO in 2026 have shifted materially. The SEC disclosure environment, the cyber insurance market posture, AI governance, and the regulatory environment around agentic AI have all moved the conversation. This article covers the eight questions every CISO should be prepared to answer at the next board meeting.

What Changed in the Board Conversation

The CISO-board conversation in 2026 is not what it was in 2022. Three forces have moved it. First, SEC cybersecurity disclosure rules created a board fiduciary obligation around cybersecurity that did not exist before. Boards now have direct accountability for material cybersecurity incident disclosure within four business days and for annual cybersecurity risk management and governance disclosures in Form 10-K. Second, the cyber insurance market hardened then stabilized, and the policy questions now require board-level understanding rather than CISO-and-broker conversation. Third, AI governance moved from technology committee discussion to full-board agenda item as the EU AI Act, SEC AI risk disclosure, and state-level AI legislation created an integrated regulatory picture.

The CISO who walks into the 2026 board meeting with the 2022 briefing structure will not address the questions the board actually has. The questions below are the eight that surface most often in current board advisory work.

Question 1: What Is Our Current Material Disclosure Posture?

This is the question SEC Item 1.05 makes mandatory. The board needs to know what would trigger a material disclosure today, what active investigations or incidents are running that could escalate to material status, and what the materiality threshold review process looks like. The CISO answer should reference the joint materiality assessment process with the CFO, General Counsel, and audit committee chair, plus the documented criteria for escalation.

What boards reward in the answer: a documented process, named decision-makers, and a regular review cadence. What boards penalize: the CISO answering this question alone without joint CFO and General Counsel involvement.

Question 2: When Was the Last Executive Tabletop and What Did the After-Action Find?

This is now a near-universal board question for cybersecurity-mature organizations. The audit committee specifically wants the after-action report, the named remediation owners, and the progress against the remediation roadmap since the last exercise. The board treats this as a leading indicator of organizational readiness, both for the next incident and for the cyber insurance renewal cycle.

What boards reward: annual cadence minimum, with documented after-action and named owners. What boards penalize: "we have not done a tabletop in over 12 months" or "we did one but the after-action is informal." The data behind the question: 89 percent of tabletop participants could not name their incident commander when asked at exercise start in 150-plus exercises Mark has facilitated.

Question 3: Where Are We on AI Governance Specifically?

The board AI conversation has moved from "are we using AI?" in 2023 to "how are we governing the AI we are already using?" in 2026. The board wants to know the AI inventory, the governance framework in use, the regulatory compliance posture (EU AI Act, SEC AI risk disclosure, NIST AI RMF), and the risk surface assessment.

What boards reward: a named framework like the Enterprise AI Trust Score with documented scoring across five dimensions (Data Lineage, Model Provenance, Output Governance, Identity and Access for AI Agents, Adversarial Resilience). What boards penalize: "we have an AI policy" without operational implementation evidence.

Question 4: How Does Our Cyber Insurance Posture Match Our Risk Profile?

This question used to be a CFO-and-broker discussion. In 2026, it is increasingly a board question with audit committee depth. The board wants to know the coverage limits versus the modeled worst-case scenario, the underwriting controls the carrier is rewarding versus the controls the organization actually has, the social-engineering coverage condition, the ransomware sub-limit, and the war exclusion language given the current geopolitical environment.

What boards reward: a Cyber Insurance Readiness Score or equivalent framework, joint CISO and CFO accountability, and a documented gap-closure plan for the next renewal. What boards penalize: "the broker handles it" without CISO or CFO involvement in the underwriting decision.

Question 5: What Is the Third-Party Risk Exposure and How Is It Being Managed?

Third-party risk has become first-party risk in 2026. The post-Change Healthcare, post-MOVEit, post-SolarWinds environment has hardened board attention on supply chain cybersecurity. The board wants to know the third-party inventory, the critical-vendor classification, the contract terms covering breach notification and security audit rights, and the response framework if a critical vendor experiences a material incident.

What boards reward: a documented critical-vendor classification, contract terms that survive a vendor breach, and a tabletop scenario that has tested vendor-incident response. What boards penalize: vendor inventory that is not current or critical-vendor classification that is informal.

Question 6: What Is the AI-Enabled Threat Picture Right Now?

The board has read about deepfake voice fraud, AI-generated spear phishing, synthetic identity attacks, and prompt injection. They want to know what is happening in the threat picture relevant to the organization, what defensive controls are in place, what tabletop scenarios have tested the relevant attack categories, and what the executive team specifically would do if a deepfake voice call came to the CFO at 11 PM on a Friday.

What boards reward: a documented out-of-band verification process for high-value executive actions, behavioral pattern monitoring beyond content analysis, and red team exercises that include AI-generated attack categories. What boards penalize: generic awareness training treated as the primary defense.

Question 7: Where Is the Talent and Succession Posture?

Cybersecurity talent retention is a 2026 board question that did not exist before. The board wants to know the depth chart, the documented succession plan for the CISO and key security roles, the retention risk assessment, and the talent pipeline. After the CISO succession crises that hit several public companies in 2024 and 2025, boards understand that key-person dependency in security leadership is a governance gap.

What boards reward: a documented succession plan with named successors, current retention risk assessment, and active talent development. What boards penalize: "we will figure it out if it happens."

Question 8: What Are You Asking the Board to Approve This Quarter?

This is the question that turns the board briefing from information to governance. The CISO briefing that ends without a specific ask is an information dump. The CISO briefing that ends with a specific funding request, organizational change, or disclosure posture acknowledgment is governance.

What boards reward: clear quarterly asks tied to documented gap-closure work. What boards penalize: ambient cybersecurity concerns without specific decisions to make. Every quarterly briefing should end with at least one specific item the board is being asked to approve, fund, or acknowledge.

The Pattern Across All Eight Questions

The pattern across all eight questions is the same. Boards are no longer satisfied with status reports. They want named frameworks, documented processes, after-action evidence, and specific decisions. The CISO who structures the quarterly briefing around the four-section framework (Current Quarter Posture, Material Disclosure Risk, Investment Decision Surface, Regulatory and Insurance Horizon) and ends with specific asks is operating at the level boards expect in 2026.

Key Takeaways

• The CISO-board conversation has shifted materially in 2026. SEC disclosure, cyber insurance, AI governance, and third-party risk have all moved the questions boards are actually asking.
• Eight questions surface most often in current board advisory work: material disclosure posture, last tabletop and after-action, AI governance, cyber insurance posture, third-party risk, AI-enabled threats, talent and succession, and the specific ask for the quarter.
• Boards reward named frameworks and documented processes. The Enterprise AI Trust Score, the Cyber Insurance Readiness Score, the 72-Hour IR Executive Playbook, and a structured board update template are all evidence of mature governance.
• Every quarterly briefing should end with a specific ask. Funding request, organizational change, or disclosure posture acknowledgment. Without an ask, the briefing is information rather than governance.
• The CISO who answers question 8 well typically gets the funding approved for the other seven questions. The board ask is the leverage point.

Where This Came From

This article is grounded in 150-plus facilitated executive tabletop exercises and direct board advisory work across financial services, healthcare, energy, manufacturing, government, and technology. The eight questions reflect the actual pattern of board inquiries in 2026 advisory engagements, not a survey or research summary.

Next Steps

If your CISO has a board briefing scheduled, the eight questions above are the right preparation framework. The Enterprise AI Trust Score self-assessment and Cyber Insurance Readiness Score self-assessment both produce documented evidence boards reward. The research page covers the underlying tabletop findings in detail. A board-readiness review with Mark walks through the specific questions your board is likely to ask and builds the briefing structure that answers them.

Book a board-readiness review or explore speaking topics.