The CEO of a holding company shared a shocking risk assessment experience with an IT auditor. The assessment process was a negative experience for the firm. The IT infrastructure was the focus of the assessment. The business processes which this infrastructure supported received little to no attention. The assessment team recommended changes in business practices based solely on their study of the infrastructure. In the end, the risk assessment was rejected. Worst of all, this negative experience influenced the view of management related to security consultants. The failure of one consulting firm infected the perspective of an entire organization.”]
Source: https://www.csoonline.com/article/2137058/a-ceo-s-tale-of-disappointment.html