- If you are managing risk well, is the additional cost to reduce risk is necessary?
- Knowing and tracking your risks, and the controls you're going to put them in place to manage them.
- Effective approaches to "tell the story" of the success of your information security activities?
