The Question Every Board Should Ask After a Security Incident

Written By Rosario Robinson

After a security incident, boards often ask predictable questions:

  • What happened?

  • Who was involved?

  • What did we do?

  • Are we exposed?

  • How do we prevent it again?

These are necessary. But they are not the most revealing.

The most important question a board can ask is:

 

“Did we understand our risk posture before the incident—and did our actions match it?”

This question forces clarity. It exposes whether leadership was governing risk proactively or simply reacting.

If the organization understood its risk posture:

  • the incident may still occur, but response will be coordinated

  • decision thresholds will be clearer

  • roles will be understood

  • communications will be more consistent

  • remediation will be faster and more defensible

If the organization did not understand its risk posture:

  • confusion will be visible

  • decisions will be inconsistent

  • blame will replace learning

  • remediation will be reactive and incomplete

 

What “risk posture” actually means

Risk posture is not a policy statement. It is the real operational reality:

  • where the organization is vulnerable

  • what threats are most likely

  • what harm scenarios are plausible

  • how prepared leadership is to respond

  • what resources exist across sites and shifts

Risk posture is the gap between what you believe and what you can actually do.

 

The board’s follow-up questions (the ones that drive improvement)

Once the posture question is asked, the right follow-ups are:

  • What did we believe the top threats were, and were we correct?

  • What did we fund, and what did we underfund?

  • Were roles and thresholds clear during the incident?

  • What decisions were delayed, and why?

  • What did training prepare staff to do—and what did it not?

  • What governance changes will we implement in the next 90 days?

 

The remediation window

Organizations often miss the most valuable window: the post-incident clarity period when leaders are willing to change.

Boards should require a 90-day remediation plan:

  • owners and deadlines

  • policy updates

  • training updates

  • technology configuration changes

  • drill schedule

  • metrics to demonstrate improvement

 

The purpose of post-incident review

The goal is not to produce a report. The goal is to change the system.

 The board’s job is to ensure the organization learns in a way that becomes governance—so the next incident meets a stronger organization.

Rosario Robinson
Next

Why Security Certifications Matter More Than Executives Think