Loading...
Loading...
Five questions that reveal whether your company has technology oversight, or just the appearance of it.
The companies that lose money to a technology failure rarely have no oversight. They have oversight that looked sufficient until it was tested. The five questions below separate the two. They are written for board members, investors, and senior leadership who sit above day-to-day operations and need to know whether the company they are responsible for actually has technology under control, or just appears to.
These questions matter more in 2026 than they did three years ago. The SEC's cybersecurity disclosure rules, effective since December 2023, require public companies to describe board oversight of cyber risk in their annual filings. Amendments to Regulation S-P, with a compliance deadline of June 3, 2026, expand obligations for broker-dealers, investment advisers, and investment companies. The NACD's 2026 Governance Outlook Report shows that 76% of directors say AI will factor into their 2026 growth strategy. Only one-third say they are strongly confident in their board's collective skill set.
The questions that follow are not technical. They are designed to be asked by directors who do not have engineering backgrounds, and answered by management without retreating into acronyms. A real answer is specific, evidenced, and brief. An evasion is generic, conceptual, or routed through a vendor name. The gap between those two is where the risk lives.
The first question is about accountability, not capability. A real answer names a person and describes what they are responsible for. "Our IT team handles it" is not an answer. "Our MSP handles it" is not an answer. A managed service provider can deliver excellent help desk support and still have no authority to make strategic decisions about risk posture, vendor selection, or compliance readiness.
The pattern that creates exposure is when the answer is implicit. The CEO assumes the CFO knows. The CFO assumes the COO knows. The COO assumes the MSP knows. Nobody is wrong, exactly. Nobody is responsible, either. When a regulator, auditor, or buyer asks the question, the silence is itself the finding.
A useful follow-up is to ask whether the person named has the authority and the context to make consequential decisions, not just to escalate them. The difference matters when something breaks at 11pm on a Saturday and a vendor wants a six-figure emergency authorization.
This is also where the distinction between an MSP and a senior IT advisor becomes visible. Both can be valuable. They do different jobs. Confusing the two is one of the more common patterns this work surfaces, and the consequences usually only become clear during an incident or an audit. We covered that distinction in Why Your MSP Is Not Your IT Strategy.
A disaster recovery plan that has never been tested is not a plan. It is a hypothesis. The distinction matters because the failures that show up during real failovers are almost never the ones that appear in a tabletop exercise. Backups that restore but do not boot. Replication that is current but pointing at the wrong storage tier. Documentation that references staff who left two years ago. Credentials that nobody remembers because nothing has changed in a long time.
A real answer to this question includes a date, a scope, and a finding. "We tested DR in March 2026. We failed our production financial system over to the secondary site. It came up in 47 minutes. We identified that our reporting layer was not part of the original scope, and we have added it to the next test." That is an answer that suggests the work is real.
"We have a plan" is not an answer. "We do annual reviews" usually means a document is updated annually, not that anything has been tested. In regulated industries, the gap between a documented plan and a tested one is what an auditor finds when they ask for evidence of the last successful failover, the recovery time objective (RTO) that was achieved, and the recovery point objective (RPO) that held.
There is also a frequency question hiding in this one. Boards should know what cadence the company commits to. Semi-annual is a reasonable standard in regulated environments. Annual is the floor. Anything less than annual, in a business that depends on its technology to operate, is functionally untested.
Vendor concentration risk is one of the quieter failure modes in technology environments. It accumulates without anyone deciding to take it on. A SaaS tool gets adopted because it solved one problem well. Over three years it becomes critical to four functions, and the contract has auto-renewed twice without review.
The board question is not whether the company uses vendors. Every company does. The question is whether anyone knows which vendors are now essential, which are merely useful, and which are still in place because nobody owns the decision to remove them. A real answer names the top three or four vendors the business cannot operate without, describes the contractual posture, and identifies the alternatives that have been evaluated.
The follow-up is harder. What is the financial exposure if one of those vendors raised prices by 30% at renewal, was acquired by a competitor, or experienced a multi-day outage. These are not hypothetical scenarios. They are the kinds of events that happen to portfolio companies and trigger uncomfortable board conversations after the fact.
The NACD's 2026 Cyber Risk Oversight Handbook now includes formal guidance on third-party and supply chain risk management for exactly this reason. Vendor exposure is no longer a procurement concern. It is a governance concern.
Compliance is the area where the gap between appearance and reality is widest. Most companies in regulated industries can produce documentation. Fewer can defend what that documentation describes. The difference matters because auditors are no longer satisfied with policies on paper. They want evidence that the policies are operational.
A real answer to this question is specific about which frameworks the company is held to (ISO 27001, SOC 2, HIPAA, financial regulatory requirements), what the current posture is against each, and where the gaps are. The strongest answer includes the gaps. A management team that cannot name its weak spots either does not know them or is unwilling to surface them at the board level. Both are problems.
The SEC's enforcement record makes this question more pointed for public companies and registered entities. Between December 2023 and early 2025, the agency settled multiple enforcement actions totaling over $8 million in penalties for cybersecurity disclosure failures. The Cyber and Emerging Technologies Unit, launched in February 2025, signals that this scrutiny is permanent infrastructure, not a temporary focus.
For non-public companies, the analog is the buyer's due diligence team during a transaction, or the regulator during an industry-specific examination. The questions they ask are not different. The penalties for failing them are.
The fifth question is about the board itself. It is uncomfortable to ask and necessary to answer honestly. According to the NACD's 2026 Governance Outlook Report, only one-third of directors say they are strongly confident in their board's collective skill set. About 14% are concerned that their boards do not have the capabilities needed for the year ahead.
A board that cannot evaluate a technology decision is dependent on the people who bring it. That is a structural problem even when those people are excellent. The fix is not necessarily to add a technology director, though that is one option. The fix is to ensure that someone with senior operational technology experience is in the room when consequential decisions are made, even if that person is an advisor rather than a director.
This is the structural argument for fractional or advisory technology leadership at the board level. A fractional CIO is a senior technology leader who works with an organization on a part-time or defined-scope basis. In a board context, that person can serve as a translator and a challenger during technology discussions, without the cost or commitment of a full-time hire. We covered the scope of that role in detail in What a Fractional CIO Actually Does.
The question is not whether the board has technology expertise. It is whether the board has access to it consistently, in time to influence decisions rather than review them after the fact.
If the answers to these questions are clear, specific, and evidenced, the company has real technology oversight. The board's job is to maintain the cadence and not let the rigor decay. If the answers are vague, conceptual, or routed through vendor names, the company has the appearance of oversight. The board's job in that case is to surface the gap before something forces it into the open.
The pattern this work consistently surfaces is that the gap is not usually the result of negligence. It is the result of growth. A company that had 30 employees five years ago and has 150 now has often not had the moment to ask whether the structure that worked at 30 still works at 150. We covered that pattern in Five Signs Your Business Has Outgrown Its IT Setup.
The board's role is to create the moment when those questions get asked, not to answer them. The answers belong to management. But the questions, asked consistently and with patience for the real answer, are how oversight actually works.
These five questions are not a substitute for technical due diligence. They are the first filter. If management can answer them clearly, the company is probably in a defensible posture. If they cannot, the gap is worth investigating before a regulator, auditor, or buyer surfaces it on their own timeline.
If your board is asking these questions and the answers are not clear, the 30-Day IT Risk and Recovery Reset is designed to surface what is actually in place, identify the gaps, and produce a 90-day action roadmap in plain language. Fixed scope, fixed fee, no surprises. Learn more about the process or start a conversation.
Related Reading
More Insights
← Back to all articles