Wherever you go, or whatever you read, these days, it;s hard to escape security professionals and pundits that preach that information security and risk management are business enablers. Now that’s certainly true. But we have to put this in perspective.
Such benefits help support the business case for security. And it’s always helpful to communicate the nature of the subject in business terms. But let’s get real. No business in their right mind would invest in security purely for the business benefits. There are many other, much more powerful enablers for business (like more advertising, a bigger sales force, or better customer relationship management) than security. And risk management is primarily used to provide credibility to decisions, rather than lead them.
Security and risk management are driven exclusively by incidents, and, as a consequence, by compliance and citizen concern. And addressing the latter two drivers requires a focus on the perception of your security capability, rather than the actual state of security. Because when you’re truly secure, nobody will ever notice. That’s the reality of information security.