CCISO guidance stresses that board-level metrics must be high-level, risk-focused, and business-relevant. Reporting critical and high vulnerabilities in production environments communicates exposure without overwhelming technical detail.
Boards are concerned with material risk, not asset-level findings. Therefore, option C is correct.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit