You don't need to understand packet sniffers, SIEM platforms, or endpoint detection algorithms to lead your company's cybersecurity efforts. You need to ask the right questions, and know what the answers should sound like.
Most CEOs avoid asking their IT team about security because they're worried about looking uninformed. But the best leaders I've worked with aren't the ones who know the most about technology. They're the ones who ask the clearest questions and hold their teams accountable for straightforward answers.
Here are five questions you should ask your IT team this quarter. None of them require technical expertise. All of them will reveal whether your business is protected or exposed.
Key insight: The value of these questions isn't just in the answers, it's in the signal they send. When the CEO asks about cybersecurity, the entire organization understands that security is a leadership priority, not just an IT concern.
1. Are We Backing Up Our Critical Data, and Have We Tested a Restore?
Why it matters: Backups are your last line of defense against ransomware, hardware failure, and human error. But a backup you've never tested is a backup you can't trust. Many companies discover their backups are incomplete, corrupted, or unusable only after they need them, when it's too late.
What you want to hear: "Yes, we back up critical data daily. Backups are stored offsite or in immutable cloud storage. We tested a full restore within the last 90 days and confirmed we can recover within our target recovery time."
Red flag: If the answer is vague, if restores haven't been tested recently, or if nobody can tell you the recovery time objective, you have a gap that needs immediate attention.
2. When Did We Last Test Our Incident Response Plan?
Why it matters: Every business needs a plan for what happens when, not if, a security incident occurs. But a plan that lives in a binder on a shelf isn't a plan. It's a document. Plans only work when the people who execute them have practiced doing so.
What you want to hear: "We conducted a tabletop exercise within the last six months. Key stakeholders from IT, legal, operations, and communications participated. We identified three gaps and have action items to address them."
Red flag: If the plan hasn't been tested, if it was last updated two years ago, or if your team can't tell you who leads the response when an incident occurs, you are not prepared.
3. What Is Our Single Biggest Unaddressed Risk?
Why it matters: This question forces honesty. Your IT team almost certainly knows about risks they haven't had the time, budget, or authority to address. Asking this question gives them permission to surface those concerns, and gives you the information you need to make informed decisions about where to invest.
What you want to hear: A specific, honest answer. Something like: "Our biggest risk is that we don't have multi-factor authentication on our remote access VPN, and it would cost $15,000 to implement." That's actionable. That's a decision you can make.
Red flag: If the answer is "we're in good shape" with no specifics, either your team is afraid to share bad news, or they don't have visibility into your actual risk posture. Neither is acceptable.
"The most dangerous risks aren't the ones you know about and accept. They're the ones nobody told you about because they didn't think you wanted to hear it."
4. Are We Meeting Our Compliance Requirements?
Why it matters: Depending on your industry and the data you handle, you may be subject to regulations like HIPAA, PCI DSS, state privacy laws, or contractual security requirements from your clients. Non-compliance doesn't just mean fines, it can mean lost contracts, legal liability, and reputational damage.
What you want to hear: "We are compliant with [specific requirements]. Our last assessment was [date]. We have [number] open findings and a remediation timeline for each."
Red flag: If your team can't clearly identify which regulations apply to your business, or if the last compliance assessment was more than a year ago, you need to prioritize this conversation.
5. Who Has Access to What, and When Did We Last Review It?
Why it matters: Access creep is one of the most common and least visible security risks. Employees accumulate access over time as they change roles, join projects, and receive temporary permissions that become permanent. Former employees and contractors may still have active accounts. Without regular reviews, you have no idea who can reach your most sensitive data.
What you want to hear: "We conduct access reviews quarterly. We use role-based access controls. Former employee accounts are immediately disabled after departure. Our last review was [date] and we revoked [number] unnecessary access rights."
Red flag: If access reviews aren't happening regularly, if there's no formal process for offboarding, or if your team can't quickly tell you how many people have administrative access to critical systems, this is an urgent gap.
Key Takeaways
- You don't need technical expertise, You need the willingness to ask direct questions and expect clear answers
- Test, don't assume, Backups and incident response plans are only valuable if they've been tested recently
- Create space for honesty, The "biggest unaddressed risk" question only works if your team feels safe giving a candid answer
- Compliance is ongoing, A past audit doesn't mean current compliance; stay on top of your requirements
- Access management is foundational, Knowing who can access what is the most basic and important security control
These five questions are adapted from frameworks I cover in much greater depth in Cybersecurity for CEOs, where I provide complete checklists and conversation guides for executives who want to take an active role in their company's security without needing a technical background.
Make these questions a standing agenda item for your quarterly leadership meetings. Connect with me on LinkedIn or reach out through my contact page if you'd like to discuss how to implement a CEO-led security review process.
"Leadership isn't about having all the answers. It's about asking the questions that nobody else will."