Governing in a Digital World: Curiosity, Questions and Cyber Security
Reflections on governance, risk and how boards build assurance in a digital environment
Cyber security can sometimes feel like a technical domain — full of acronyms, systems and specialist Reflections on governance, risk and how boards build assurance in a digital environment.
Cyber security can sometimes feel like a technical domain — full of acronyms, systems and specialist language that sits just beyond the comfort zone of many boards.
But at its heart, cyber security is not just a technical issue. It is also a governance issue, because the risks it presents — operational disruption, financial loss, reputational damage and impact on service users — sit squarely within the fiduciary responsibilities of trustees and non-executive directors.
The National Cyber Security Centre Cyber Security Toolkit for Boards offers a helpful reframing: boards do not need to become technical experts. Instead, they need to be curious, confident and purposeful in the questions they ask.
Curiosity, questioning and governance
As explored in earlier reflections, curiosity is often the starting point for effective governance. It becomes most valuable when expressed through thoughtful, sometimes bold questioning — not questioning for its own sake, but questioning that seeks to understand:
What really matters
What could go wrong
What is changing around us
What the future might hold
Cyber security is a domain where this mindset is particularly important. The risks are often unseen, fast-moving and continually evolving. Waiting for certainty can mean responding too late, which highlights the importance of proactive rather than reactive governance.
Looking to the horizon, not just the dashboard
At a time when missions such as Artemis program are quite literally expanding our horizons, boards are also being asked to look further ahead — anticipating risks that may not yet be visible.
Boards are often presented with reports that describe the current position:
Compliance metrics
System performance
Incident logs
These are clearly important. But governance also requires something more — the ability to look beyond the immediate picture and towards the horizon.
A curious and questioning board might ask:
What emerging risks should we be aware of, and how might these affect our organisation?
How is our operating environment changing, and how fit for purpose is our governance in response?
What might challenge our current assumptions, and how prepared are we for potential disruption?
In cyber security, this forward-looking perspective is essential. Threats evolve quickly, and yesterday’s assurance may not be sufficient for tomorrow’s reality.
From technical complexity to governance clarity
One of the strengths of the NCSC toolkit is that it translates cyber security into governance language, structured around questions rather than technical solutions.
This enables boards to engage not as specialists, but as governors. Their role is not to manage systems, but to ensure that:
Risks are understood
Controls are proportionate
Accountability is clear
Oversight is evidence-based
Curiosity, expressed through questioning, is what allows boards to bridge the gap between complexity and oversight.
From reassurance to assurance
Boards will often receive reassurance in relation to cyber security:
“We have appropriate systems in place.”
“We are compliant with requirements.”
“There have been no significant incidents.”
These statements are helpful — but on their own, they are not enough.
As explored in Governance in Orbit: Turning Visits into Assurance, effective governance requires boards to move beyond reassurance and towards assurance, in doing so, seeking to understand not just what is reported, but what is happening in practice.
In the context of cyber security, this may include understanding
How systems operate in practice
What evidence underpins reported confidence
How resilience has been tested
What would happen under pressure
This is where curiosity and questioning become critical. They enable boards not just to receive information, but to understand and gain confidence in it.
Curiosity in practice: what assurance looks like
In practical terms, assurance does not require technical expertise — but it does require thoughtful engagement.
For example, boards might look for:
Evidence of testing
Has the organisation undertaken cyber incident simulations or exercises? What was learned?Independent validation
Are external audits, certifications or reviews in place to provide objective insight? How well does the board understand the integrity of this validation?Clarity of reporting
Are risks clearly articulated, with trends over time rather than one-off snapshots?Visible accountability
Is there clear executive ownership, and does reporting enable meaningful board oversight?Connection to wider governance
Is cyber risk integrated into business continuity planning, risk registers and strategic discussions?Learning from experience
How are near misses or incidents used to strengthen practice?Learning from others’ experience
How is external intelligence used to strengthen the organisation’s approach?
Together, these create a more complete picture, enabling boards to move from relying on statements to forming their own informed judgement.
Curiosity in practice: asking the right questions
The NCSC toolkit provides a helpful structure for this, centred on key governance questions:
Do we understand our critical assets?
Do we understand our vulnerabilities?
Do we have clear accountability?
Are we prepared to respond to an incident?
How do we build a security-conscious culture?
These are not technical questions. They are governance questions grounded in curiosity, clarity and accountability.
From curiosity to proactive governance
Curiosity and questioning should not only help boards understand the present — they should also enable boards to act ahead of events.
Too often, organisations strengthen their approach to cyber security after an incident. Good governance seeks to do this before — taking a proactive rather than reactive approach.
This may involve:
Anticipating potential risks
Testing assumptions
Investing in resilience early
Creating space for forward-looking discussion
In this way, curiosity becomes a driver of proactive governance, rather than reactive response.
Balancing confidence and challenge
Being curious and asking questions does not mean creating tension or mistrust. At its best, it reflects a board that is engaged, thoughtful and willing to explore complexity.
At times, it may also require a degree of quiet boldness:
To ask the question that has not yet been asked
To look beyond the comfort of reassurance
To explore what may lie ahead
This is not about disruption — it is about stewardship.
Embedding this approach into everyday governance
Cyber security does not sit apart from governance — it forms part of how governance is exercised. A board that values curiosity and questioning will naturally integrate cyber considerations into:
Risk and assurance discussions
Audit and compliance processes
Strategic planning
Culture and behaviour conversations
Over time, this supports a governance approach that is inquisitive, forward-looking, proportionate and resilient.
And finally…
The NCSC toolkit does not ask boards to become cyber specialists. It asks something more practical — and more powerful. It asks boards to be curious enough to ask, confident enough to question and diligent enough to seek assurance.
Because in a digital world, governance cannot rely on reassurance alone.
The role of the board remains clear — to look beyond the immediate, to understand what sits behind the answers and to ensure the organisation is prepared — not just for today, but for what may come next.
Reference
National Cyber Security Centre (NCSC). Cyber Security Toolkit for Boards. Available at: https://www.ncsc.gov.uk/collection/board-toolkit
This blog forms part of a wider series exploring practical governance — from curiosity and connection to assurance and continuous improvement.
