The IT manager at a Letterkenny manufacturing firm did not expect the question. He was three slides into a routine operational update when the managing director leaned forward and asked it directly: "Are we secure?" The room went quiet. The IT manager knew his systems reasonably well. He knew they had Microsoft 365 and that multifactor authentication was partially rolled out. He knew backups ran nightly. But he also knew that no independent test had ever been done, that three staff members still used the same weak password they had set in 2019, and that he had no idea what would actually happen if ransomware hit on a Friday afternoon. What he said was: "We're in a fairly good position." It was not a lie, but it was not an honest answer either. And the board accepted it, which was the bigger problem.
That moment — the polite non-answer accepted by a board that does not know enough to push back — is one of the most common failure points in Irish SME security governance. This post is for the IT managers, CTOs, and operations leads who find themselves in that seat, and who want to be able to give a better answer.
WHAT
The question "Are we secure?" is, technically, unanswerable. Security is not a binary state. What the board is actually asking is: "Are we managing our cyber risk at a level appropriate to our business?" That is a question you can answer — but only if you have the right information to hand.
The honest starting point is to know what you do not know. Most IT managers in Irish SMEs are managing a broad range of responsibilities — infrastructure, helpdesk, software licensing, vendor relationships — while cybersecurity sits somewhere alongside everything else. That does not make them bad at their jobs. It makes them a generalist in a role that increasingly requires specialist input. Acknowledging that gap in a board meeting is not a weakness; it is the beginning of a credible security conversation.
What boards actually need to hear is not a reassurance. They need three things: a current threat picture, a statement of your known controls and their status, and a clear description of your residual risk. Those three elements, presented in plain business language, constitute a credible security update.
When did your business last have an independent review of its cybersecurity controls — and do you have a written summary you could present to your board today? Book a free 20-minute strategy call — we help IT managers and directors build credible security reporting without needing a full-time CISO.
WHAT NOW
The three metrics every Irish board should hear in a security update are: patch status, MFA coverage, and backup verification.
Patch status tells the board whether your systems are up to date. Unpatched systems are the single most common entry point for attackers targeting Irish businesses. You should be able to say, with confidence, what percentage of your devices and servers are running current security patches — and if the answer is anything below 95%, that is a risk worth naming out loud.
MFA coverage tells the board whether your accounts are protected against credential theft. Business email compromise — where an attacker gains access to email accounts and uses them to redirect payments or steal information — is the most financially damaging attack category affecting Irish businesses right now. If MFA is not enabled on every email account and every remote access tool, you have a gap that the board should know about.
Backup verification is the one that gets skipped most often. Many businesses have backups. Far fewer have tested whether those backups actually restore correctly, how long restoration takes, and whether the backup environment itself is isolated from a potential ransomware attack. The board should hear the answer to all three questions.
Beyond these three metrics, a credible security update includes a brief threat picture. You do not need to be a threat intelligence analyst to deliver this. The NCSC Ireland publishes regular guidance for organisations on the current threat landscape, including sector-specific advisories.[^1] Referencing the NCSC's current guidance and connecting it to your business type — manufacturing, professional services, retail — gives the board useful context without requiring you to be an expert on every attack group active in Europe.
If you genuinely do not know the answer to any of these three metrics, say so. Tell the board: "I want to give you an honest picture, and to do that properly I'm recommending we commission an independent security review. I'll bring the findings to the next meeting with a clear remediation plan." That is not a failure. That is exactly what good governance looks like.
WHY IT MATTERS
Under NIS2, which Ireland transposed into national law through the Network and Information Systems Regulations, company directors bear personal responsibility for approving cybersecurity risk management measures. The Garda National Cyber Crime Bureau has confirmed that the volume of cybercrime reports from Irish businesses continues to increase year on year, with ransomware and business email compromise the dominant incident types.[^2]
The Data Protection Commission has also made clear that boards cannot outsource their responsibility for data security to their IT team or their managed service provider. If a breach occurs and the DPC investigates, one of the first questions will be whether the board was receiving regular, substantive security updates — and whether it was acting on them.[^3]
The "fairly good position" answer is not just an uncomfortable moment in a boardroom. In the event of a serious incident, it is the kind of statement that demonstrates governance failure: a board that was not asking the right questions and an IT function that was not providing the right information. Boards in Letterkenny, Galway, Dublin, and every other business centre in Ireland are now expected to understand and engage with cyber risk as they would any other material business risk.
Could you write down, right now, the three biggest cybersecurity risks your business faces and what controls are in place to manage each one? Book a free 20-minute strategy call — we help you build that picture quickly and present it in the language your board can act on.
WHAT NEXT
First, build a one-page security dashboard before your next board meeting. Patch status, MFA coverage, backup verification status — traffic light rated, with a brief note on any amber or red items and what is being done about them. It does not need to be sophisticated. It needs to be honest and consistent.
Second, connect your security posture to business risk, not just technical detail. Boards understand revenue, reputation, and regulation. Frame your security metrics in those terms: "An unpatched server is a potential ransomware entry point, which could result in 48 hours of downtime and a DPC notification obligation." That is a risk the board can evaluate and make decisions about.
Third, if you genuinely cannot answer the three core questions with confidence, commission an independent review. A virtual CISO engagement, an external audit, or even a structured self-assessment against the NCSC Ireland's guidance will give you the foundation you need to report honestly. The goal is not perfection — it is credibility. Boards can manage risk they can see. They cannot manage risk they are never shown.
Related Reading
- Board-Level Cyber Risk Questions for Irish SMEs
- 10 Questions Every Irish Director Should Ask Their IT Team About Cybersecurity
- Director Liability Under NIS2 and GDPR: A Briefing for Irish Company Directors
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission — Ireland: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.