Audit committees are increasingly asking for (or trying to comply with a regulatory requirement) that the information security officer or IT executive appear before them. Think of it as preparing as you would for a job interview. Members are looking for clear assurances yes or no – that the practices used by management shields the business from successful attacks (and lawsuits) Full assurance is impossible due to various factors including multiple threat scenarios, ability of individuals to circumvent or ignore recommended practices, cost-benefit considerations, and the significant number of vulnerabilities.”]