ACI Leadership Series: Cybersecurity Questions Boards and Executives Need to Ask

leadership series profile images of top industry leaders in audit, cybersecurity and IT

Cybersecurity Questions Boards and Executives Need to Ask: A discussion with Wes Spencer – Webinar Notes

Hosted by Daniel Lowrie, ACI Learning edutainer.


The purpose of this guide is to serve as a complementary aide to help you follow along in our recent Leadership Series webinar episode, “Cybersecurity Questions Boards and Executives Need to Ask.” In this interview, our friend Wes Spencer - a nationally recognized technology innovator and cybersecurity expert - discusses what boards should be asking about cybersecurity. Have these notes ready, then watch our full interview.


  • Business outcomes are crucial for MSPs, focusing on technical details can be challenging.
  • Empathy is key to understanding what can impact the business's operations and growth.
  • Effective communication involves teaching, tailoring, and taking control of the cybersecurity conversation.

Compliance and Cybersecurity:

  • Executives often believe that being compliant means they are secure.
  • Compliance is the minimum standard, not the maximum.
  • Compliance does not guarantee security tomorrow; it only sets the floor.
  • Residual risk remains, and continuous improvement is necessary.
  • Emphasize the importance of security frameworks and peer analysis beyond compliance.

Questions for Executives and Boards:

  1. Understanding Compliance:
  • How do we ensure executives understand that compliance is the baseline, not the endpoint?
  • What strategies can be employed to convey that being compliant today doesn't guarantee security tomorrow?
  1. Continuous Improvement:
  • How do we convey the idea that cybersecurity is an ongoing process of improvement?
  • What methods can be used to encourage executives to see compliance as a starting point rather than a final destination?
  1. Security Frameworks and Peer Analysis:
  • How can we incorporate security frameworks and peer analysis into discussions with non-technical leaders?
  • In what ways can these tools be effectively communicated to decision-makers?
  1. Yellow/Green/Red Systemic Indicators:
  • Raw data should be transformed into systemic indicators for high-level board discussions.
  • These indicators can help gauge the overall cybersecurity posture and identify areas that need attention.

Key Questions for Boards:

  1. Employee Training:
  • Are all employees receiving cybersecurity awareness training?
  • Have we met the minimum standards for training, particularly in areas like phishing?
  1. EDR Alerts and Response Time:
  • How many EDR (Endpoint Detection and Response) alerts are we experiencing?
  • What is our response time to these alerts?
  1. Risk Assessment:
  • What are our yellow, green, and red indicators in terms of cybersecurity risk?
  • How frequently are these indicators assessed and communicated to the board?
  1. Budgeting for Security:
  • How can the board be reminded of the cost of not addressing cybersecurity risks?
  • What budget considerations are necessary to manage and mitigate identified risks?

Data Presentation:

  • The board should not be overwhelmed with raw data; instead, present information in terms they can relate to.
  • Utilize yellow and red indicators as opportunities to empower the board to take action.
  • Relate data to the cost of not addressing cybersecurity issues, including budget and potential operational disruptions.

Strategic Discussions:

  • Translate raw data into actionable insights that prompt strategic discussions.
  • Board members are not cybersecurity experts, so present information at a high level.
  • Encourage a shift from the server room to the boardroom by presenting information in a way that aligns with their strategic concerns.
ACI Learning



Learning areas