I was the corporate technology representative for an information risk committee meeting attended by senior level executives from finance, HR, legal, physical security, internal audit and our external auditors. External audit conveyed that they needed to brief the board on the potential cybersecurity threat. The problem was if this was conveyed before we had some response, all it would do is create concern and a probable fire drill approach that would not be productive.
Questions were raised around how to best convey our overall corporate cybersecurity status as well as across each division.