Megan Samford

They're the dead body.

I know that you're going to give me a horrible scenario and I'm going to have to choose between the lesser of two evils.

Sure, so I will also address point number one.

So what I heard there, the Reader's Digest notes was, we uncovered a lot of risk and we're aware of the gaps.

Great, that's every day on the CISO job.

Like this is great that we actually know what the gaps are.

I mean, this almost felt like a softball question because we do this every single day.

So if you've identified all of your gaps, a CISO should never be owning risk, number one.

They are a risk overseer.

So there should be other executives within the company that need to be aware of the risk and they would be responsible for either dispositioning that risk and coming up with a timeline for when remediation and everything else needs to happen, or they need to formally sign their name on the document that they are accepting the risk for a period of time.

And that needs to be time bound, right?

Like we can't perpetually accept risk that are a danger to the company or increasing risk to the board or anything like that.

I think question number one is pretty softball.

We disposition, assign, have people review, sign off on risk, escalate the risk or otherwise come up with a roadmap for how they're going to deal with it every single day.

No one should be stumped by that question whatsoever.

On question number two, with the thing you have going on there with the potential phishing and the mobile apps team, number one, I'm impressed that the CISO was notified quickly.

I'm impressed that people have come to you with this.

Okay.

So we're sitting in this reality again.

Then I would say you need to, number one, determine potential initial impact in that golden hour.