This finding points to a surprising lack of alignment between the expectations of C-level management and the priorities of security professionals. And while the need to link IT security strategies directly to business goals is a widely-recognized imperative, only 21 percent of respondents believe their organisations have successfully made the transition to an approach that is proactive and business-aligned, and enables rather than impedes innovation. 

Security leaders call for a new approach to risk management

"Mastering the Risk/Reward Equation:  Optimizing Information Risks to Maximize Business Innovation Rewards," survey explores why legacy methods of evaluating information security risk don't work in today's connected world, in which any new business innovation inherently carries some level of risk to information.

In this landscape, the security focus must move from solely mitigating risk to also maximising business reward.  Based on the collective best practices of these leading security executives, the report offers a blueprint for making risk/reward calculations that help drive business value, and ensure they are executed and governed for enterprise success.  

Bill Boni, Corporate Vice President, Information Security and Protection, Motorola, said: "Ultimately, the biggest risk any company faces isn't that a particular piece of information is compromised or a particular platform is disabled, it's that the company will fail to meet customer expectations. To achieve business advantage, companies must take calculated risks and rely on security measures that allow them to be both adaptive and responsive."

As a critical starting point, the Council report recommends some key shifts in organisational thinking and behaviour including:

Move the security team's focus from "Information Security" to "Information Risk Management" to signal that the goal is to achieve an acceptable level of risk;

Use a cross-organizational approach to understand and formalise the enterprise's risk appetite;

Build a risk assumption model to delineate where and with whom risk decision responsibilities lie; and

Create a repeatable, step by step process, for making risk/reward calculations for new business initiatives and ensure it is rolled out across the organiSation.