The group noted that they had a complete mix of different industries represented. The speaker was from higher education, and other attendees at the table came from financial services, healthcare, and the insurance industry. This variety of verticals also gave them a broad spectrum of approaches to discuss the issue. The group spent a lot of time discussing risk, privacy, and security and also touched on IT operations. Privacy, especially in some of the major financial and insurance fields, is often more often handled by the chief privacy officers and the legal side, but they also feed into the risk function. The group viewed the risk function as the group that oversees the controls to make sure communication up to the board level as well as communication down to the security and IT side. They looked at risk as the second line of defense, whereas the security officers and the IT organization combined are more akin to the first line of defense. They’re the day-to-day folks responsible for implementing the security controls and maintaining them. A major responsibility for the risk function is to explain the consequences if you don’t implement the controls. “What’s the risk, what can go wrong?” Their goal is often to try to provide motivation as well as incentives for the IT organization and the security department to make sure those controls are in place and continuously operational.