While corporate board rooms are taking IT risk management more seriously, there is a serious gap between what they know and don't know about how to implement a stronger risk management plan. As this article on Help Net Security points out, boards don't see how IT touches all elements of the business and how that can make the risk management plan unique in different areas of the company. Citing a Carnegie Mellon report, however, not all news was bad: A positive sign from the survey is the importance that boards are placing on IT and security/risk expertise in board recruitment as respondents ranked it very important or more important. Risk and security expertise was even more encouraging with 64 percent of the respondents indicating that it was very important or important. Improvements are also occurring at the organizational level in the increased number of organizations with Board Risk Committees and cross-organizational teams that manage privacy and security risks within the organization. The article goes on to indicate that the financial sector shows the greatest level of attention to IT risk management in the boardroom, and that 57% of respondents are failing to analyze how well they can handle cyber-attacks on user or proprietary data.