Maybe you have a manager in denial?
I know the feeling -the absence of effective risk controls for data security often start with denial of vulnerabilities. Here is a true story:
…I’m not concerned about data theft. We’ve outsourced our entire IT operation to a big bank’s data center and they’re up to speed on information security. I can always go back to the logs and figure it out if something happens.
Vice President Internal Audit of a private banking institution with $5BN in assets.
Just 2 months later, the “big bank” had a major data theft event. Both banks missed their earnings estimates and took a beating in the market. Today the private institution is trying to break out of their 5 year outsourcing contract.
Moral of the story don’t be a yes-person.