I’ve spent over two decades in security, starting as an engineer when “cybersecurity” wasn’t even a mainstream term, and eventually serving as CISO at Twitter, Rubrik, and BILL. I’ve sat in board meetings and been on the other side of the table.
Chief Security & Strategy Officer
Upwind Security
So, when I say boards and CXOs are asking the wrong security questions, I mean it with urgency. Most of the questions I hear are backward-looking. They’re about compliance posture, audit findings, and whether we passed our latest penetration test. These matter. But in 2026, they’re table stakes. They don’t tell you whether you’re actually secure.
This year, the threat landscape has fundamentally shifted. AI is giving attackers startup-scale speed and creativity. Cloud environments are growing more complex. And the systems running your business are increasingly autonomous. If your conversations haven’t evolved to match this new reality, you have a meaningful blind spot.
Here are the questions I believe we should be asking security teams right now.
Are we securing what’s actually running, or just what we’ve configured?
Runtime tells you what is actually happening inside your environment, in real time.
The question isn’t whether your configurations look right. It’s whether your team can see and respond to threats as they materialize, not hours later.
Ask your security leader: What visibility do we have at runtime? When an attacker begins moving laterally inside our cloud environment, how fast do we know?
How are we governing identity end to end?
Identity is the new perimeter. Once an attacker has a valid identity, they bypass most of your endpoint defenses. They walk in through the front door.
Compromised identities are the attacker’s shortcut to privilege. Most organizations can’t tell you how many non-human identities they have, let alone whether they’re properly scoped and monitored.
Ask your security leader: Do we have a complete picture of every identity in our environment, human and machine? And when a credential is compromised, how fast can we detect and contain it?
How is AI changing our threat exposure and our defense?
AI is both the most significant risk amplifier and the most powerful defensive tool we’ve ever had.
On the offense side: attackers are operating at startup scale and speed. The barrier to launching a sophisticated attack has never been lower.
On the defense side: AI is enabling contextual detection. It lets us surface combinations of risk that, together, tell a very different story: a risky identity, plus a vulnerable workload, plus an exposed secret, that’s an active threat. That’s the kind of insight that drives immediate action.
Ask your security team: How are we using AI in our security operations? Are we reducing alert fatigue and improving response time? And critically: what is our exposure to AI-powered attacks?
Are we treating security as a business enabler, or a compliance function?
In too many organizations, the security function is still operating in reactive mode, responding to incidents, managing audits, checking boxes.
The CISOs who are winning in 2026 are the ones who have embedded themselves in the business. They’re sitting with product teams when new services are designed. They’re at the table when AI initiatives are scoped. They understand the business objectives deeply enough to make security decisions that enable growth rather than block it.
Ask your security leader: Where are you in the product development lifecycle? Are you being brought in early enough to shape decisions, or are you being asked to secure choices that have already been made?
What’s our resilience posture, not just our prevention posture?
Security incidents are inevitable. What separates organizations isn’t whether they get hit, it’s how they respond.
Most conversations about security are focused on prevention. But resilience, the ability to detect quickly, contain damage, recover rapidly, and communicate clearly, is equally important.
Having teams with diverse backgrounds and experiences matters when time is critical. Someone’s unique knowledge can be the difference between containing something quickly and watching it escalate.
Ask your security leader to walk you through your incident response playbook, with a real scenario. How long does detection take? What’s the communication chain? What decisions require board involvement, and when?
A Final Word
I became a security practitioner because I genuinely believe that done right, security unlocks possibility. It’s what lets organizations move fast with confidence. It’s what preserves customer trust when the stakes are highest. It’s what gives boards and executives the information they need to make good decisions.
That vision becomes reality when leadership is engaged, curious, and asking the right questions. Compliance isn’t security. Dashboards aren’t awareness. And a security budget isn’t a strategy.
The questions above are a starting point for the kind of dialogue that actually moves the needle. Your CISO wants to have this conversation. Give them the space to have it honestly.
–Authored by Rinki Sethi, Chief Security & Strategy Officer, Upwind Security
