"It might sound like a hate speech but believe me Top Management doesn't care about security, disaster recovery, compliance, project management and a lots of other domains that you fantasize about. The Board only care about RISK ." National Association of Corporate Directors was founded in 1977 with the goal to educate directors. What they are telling boards can be understood as what board really need you to put up in slides. Board want you to:- Talk about Enterprise-wide risk management issue rather than just IT issue. Talk about legal implication of cyber risk as they relate to their company's specific circumstances. Talk about risk avoidance, acceptance, and transfer. They basically have interest in knowing how much risk are we taking as compared to others and your confidence factor in your analysis. They want some metrics to make some references. Also, the Board want your security metrics to be thorough and should represent your entire landscape...