How and why do boards get a distorted picture of their organisations‘ ability to protect themselves against cyber-related risks? This is the question addressed in the report „The Risky Six: Key questions to expose gaps in board understanding of organisational cyber resiliency“ by IIA and EY.
They identified a total of 6 key questions which, if not answered, indicate a gap. If one of the questions is answered with „no“, the report shows how easily boards can develop false confidence. If, on the other hand, all questions are answered with „yes“, the report is well received by stakeholders inside and outside the organisation.
The first question is for example: „Has your organisation conducted a recent enterprise-wide cyber risk assessment?
All questions and their explanations can be found here.