3. Chief Risk Officer
Heavily regulated organizations employ a chief risk officer, who often has more of a business acumen than an IT security background. Chief risk officers want to hear ways to assess the status of an organization's program to meet compliance mandates. They are often an important advocate of the information security program and its funding, according to Wong. Metrics that provide what controls have been tested and the percentage that failed are often most meaningful, Wong said. Pay attention to newly released requirements or updates that may impact the organization's ability to meet the mandate, Wong said.