3 Cyber questions your board will ask in 2026 and beyond

Cybersecurity used to be considered an IT issue. Now it’s a boardroom issue. Think of it this way: The smoke alarm is blaring, and directors are holding the fire extinguisher, responsible not only for spotting the fire, but for proving they did everything possible to prevent it.

And the pressure is rising – with the heat cranking up a notch as company directors are now personally on the hook (even made accountable through fines) for cyber resilience.

So, it’s safe to say that the cyber conversation at board level has never been more critical or more high-stakes. In fact, 93% of boards now see cyber risk as a direct threat to stakeholder value, according to Gartner’s 2024 Board of Directors Survey.

Indeed, what was once considered a technical issue is now a strategic, operational, and even a ‘personal’ one for company directors.

So what’s the backdrop? Undoubtedly, Australia’s cyber threat landscape has shifted dramatically over the last several years.

For starters, we’ve seen the fallout of major breaches across sectors, the introduction of the 2023–2030 Australian Cyber Security Strategy, and tougher mandatory reporting rules.

And in a major development, Australia’s cyber legislation was significantly updated with the enactment of the Cyber Security Act 2024, which received Royal Assent on 29 November 2024.

This reform is a core component of the government’s strategy to boost national resilience and bring Australia’s laws in line with international best best practice.

Among other things, it introduces:

• mandatory ransomware payment reporting for businesses with over $3 million in turnover
• establishes a Cyber Incident Review Board, and
• sets minimum security standards for smart devices. It also includes stronger protections for information shared during incidents, which encourages cooperation without the fear of enforcement.

These changes reflect the fact that cybersecurity is now not just an operational or reputational issue, but a compliance one too – and company directors can no longer afford to treat it as someone else’s job.

But that’s not all: Regulatory and shareholder scrutiny are rising. Insurers are more demanding. And public trust? That’s harder than ever to earn back after an incident.

Let’s consider some numbers: In FY2024–25 the Australian Signals Directorate (ASD) fielded more than 42,500 calls to its Cyber Security Hotline – a 16% rise from the previous year. The agency also responded to over 1,100 cyber security incidents, highlighting the relentless targeting of Australian organisations and the persistent threats facing our critical infrastructure.

That’s why for these reasons – and more – boards must ask about cyber security. And if you’re a CISO, CIO or head of tech, you’re the lifeline to clarity, control, and confidence in the boardroom. But to be effective, you need to anticipate what they’ll ask, and have clear, risk-aligned answers at your disposal.

Here are the three most important questions your board will expect you to answer, along with how to approach them in today’s threat landscape.

1. Are we protected and how do we know?

This question hasn’t changed, but the stakes have. ‘Are we protected?’ is easy to ask and hard to answer.

The second part – ‘how do we know?’ – is where you prove your worth. But it’s a complex question. It requires a thorough view that includes board oversight, cyber risk management, supply chain vulnerabilities, internal policies and procedures, staff awareness and training, IT best practices, incident response, patching protocols, business continuity planning, and much more.

And boards don’t expect technical jargon. They expect assurance. And that means you must be able to demonstrate visibility, maturity, and ongoing oversight. You have to have a compelling story to tell.

Start here:

• Know your risk. Reference your most recent risk assessment aligned to frameworks like NIST or the Essential Eight.
• Test regularly. Red Team/Blue Team exercises or third-party penetration testing demonstrate a proactive stance.
• Report clearly. Boards don’t need logs; they need summaries that show alignment with business goals and risk appetite.
• Measure progress. Maturity models, like those in the ASD’s Essential Eight Maturity Model or Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) framework, help quantify progress over time.

2. What is our most valuable data – and how are we securing it?

Certainly, the days of defending everything equally are over. Attackers are smarter, more targeted, and increasingly backed by organised crime or state actors. If anything, modern cybercriminals operate with the structure and strategy of a legitimate business.

And they know what they’re after. So, you have to ask yourself: Do we?

Let’s face it: Boards now expect a clear answer to what your crown jewels are, and how you’re defending them. That includes:

• Customer Personally Identifiable Information (PII) and financials
• Strategic IP and M&A activity
• Operational data tied to business continuity
• Credentials or privileged access that could be exploited

Consider this approach:

• Data classification and mapping: What do you hold, where is it stored, and who has access?
• Access controls: Are you applying Zero Trust principles where appropriate?
• Encryption and separation: Are critical assets stored in segregated systems? How are they encrypted, and what’s your key management strategy?
• Monitoring: Are you able to detect unusual access to your most sensitive assets in real time?

Additionally, as a business, you need to ask: ‘Do we hold data that makes us a target?’ For example, a successful e-commerce platform likely stores thousands of customers’ credit card details, which is an obvious prize for attackers. To protect it, businesses must adopt targeted defenses like separating databases, encrypting data, or storing card digits across different systems.

Certainly, every industry has its own risks. So start by identifying and ranking your data assets from most to least sensitive. Then, develop protection strategies for your most valuable data. And understand that cybersecurity isn’t one-size-fits-all, and prioritisation is essential.

3. Have we had a breach – and how would we respond if one occurred?

If you haven’t had a breach, you either will, or you already have and don’t know it. As the experts say, it’s not a matter of if, but when.

That’s not a scare tactic. It’s the new operating assumption for boards, CISOs, and regulators alike.

Therefore, directors are expected to oversee not just breach prevention, but also incident response preparedness. They want to know:

• Have we experienced a breach or incident in the past year?
• How did we detect and contain it?
• What were the lessons learned?
• Are our response and recovery plans up to date?
• Who’s responsible for activating our playbook?
• Are simulations or tabletop exercises happening, and how often?

New expectation: You’ll also need to speak to regulatory and notification obligations. Who do we tell and when – under the Privacy Act, under the mandatory notification scheme, and under any sector-specific guidelines?

After all, this is your security story

If there’s one key takeaway, it’s this: When cyber hits, it affects revenue, operations, reputation, and increasingly, careers. Therefore, the boardroom isn’t just another stakeholder in your security story. It’s the place where trust is earned, funding is unlocked, and strategy is shaped.

So treat this conversation for what it is — your lifeline.

If you’re not sure how to lift the quality of cyber conversations with your board, it may be time to bring in a partner like Interactive who can help frame the conversation in business terms, not just technical ones.