Management doesn't care about info security – it cares about risk

Unfortunately, good information security risk decisions are often impacted by the following problems:

Decisions are made, without visibility into the risk, and sufficient understanding of the business context in which the risk is (or is not) relevant.

Often, technology is acquired to enable a single business initiative without knowledge of the business’s entire risk portfolio, risk tolerance, liability, and business goals. As a result, financial and operational resources are poorly allocated, with less important business assets and processes receiving too much investment and those that are more critical receiving too little.

Speed to Market, Innovation and Competitive Advantage are what is driving business today. Having a seat at the table with objective and quantitative information shifts the information security focus from deploying reactive point products to defining strategies that will enable the business strategically and securely.

Technologists must integrate a new language into their vocabulary to communicate complete, clear, unbiased and useful information about threats and available mitigations.