Board Briefing · 2026
The board's cyber agenda for 2026.
A short orientation for directors: the questions every board should be able to answer about its cyber posture this year.
- 4
- Questions every board should answer
- 72h
- Typical regulatory disclosure window
- 2026
- Edition · reviewed each January
A board does not need to run the security program. It does need to be able to answer four questions without turning to management for the words. If it cannot, the gap is a governance gap, not a technical one.
1. What would a material incident cost us — beyond the headline?
Direct response cost is the smallest line. The board should understand the exposure to disclosure obligations, customer attrition, and the operational pause that follows containment.
2. Who decides, and how fast?
Decision rights during an incident should be settled on a calm day, in writing. A board that learns the escalation path during the incident is already behind it.
The first hour of a breach is a leadership test. The controls were the last quarter’s work.
3. Are we spending on the right risk?
Security budgets grow by accretion. The board’s job is to ask whether the spend still maps to the risks that would actually threaten the enterprise, or only to the ones that were loud last year.
4. Can our security leader tell us the truth?
The most valuable thing a board can cultivate is a security leader who is safe to deliver bad news early. Everything else in this briefing depends on it.
About Meridian
This briefing accompanies the fellowship.
The full agenda is worked through over nine months with the people who will carry it. Learn how the program prepares security leaders for the boardroom.
View the programPrepared by the Meridian faculty for fellows in active directorship.