You are in charge of IT assets for a company. You are attending a meeting with your management to address questions and concerns around security for the organization. You are the featured presenter at the meeting. The meeting starts in a somewhat unstructured fashion and you are presented with the following questions.
a) We have never had an attack. Why are you so concerned now?
b) How would we determine what assets we have, what needs to be protected, and how to protect them?
c) I have heard we need a written security policy. Why would we need a written policy? How often would we need to revise it? Who in the organization would need to be involved in this process?
d) What is the difference between an insider attack and an outsider attack?
o What is this defense in depth approach to security that we keep hearing about?