It is not that the boardroom does not understand risk - they live and breathe risk on a daily basis. What the boardroom does not understand is mitigation of risk when it comes to information technology. The lack of a serious security event simply reinforces their instinctual notion that risk associated with information systems can be controlled, not just mitigated, and that controlling "costs" is paramount when it comes to non-revenue generating expenditures (otherwise known to IT and compliance departments as "resources"). What the boardroom needs to understand from past experience is that sometimes their data was safe only because they had a first-rate security team with lots of support from management, and sometimes their data was safe simply because no one tried hard enough to get it.

**Hidden Content: Check the thread to see hidden data.**