Nothing focuses the mind more than being asked to prepare an updated report for the board. Can we report that previously reported risks have been reduced? Certainly we can because that’s what we’re working on day by day. The difficulty comes in putting across the message that the threat environment is changing – probably more rapidly than ever. This means that some risks are increasing and new ones are emerging. There is also the case that we’re as vulnerable today to some risks as we were six months ago but the potential impact has changed.
I recently worked through a security project plan with a business manager. He was very happy to see some ticks next to milestones showing that the particular tasks were complete, and assumed that no further work would be required on the subject. Sorry to dissapoint, but it aint over yet!