"To be successful in managing information risks, IT directors need to translate technical risks into business risks, and to integrate those into the organisation's overall compliance strategy. It is what the really senior people in business are saying is their priority. If you want the money to invest in things, you need to talk the language that is in their agenda," he said.
The Department of Trade & Industry's E-Crime and Security Survey last year, for example, found that 75% of companies rated security as a high priority but only 25% were investing in security at levels in line with best practice.
Potter said 88% of chief executives view effective governance, risk management and compliance as a "value driver" for their business and a source of competitive advantage.
This means not only meeting the demands of Sarbanes-Oxley and similar regulations, but ensuring they are managing risks to the business, including those to reputation, financial loss, and health and safety.
Potter advised IT directors to talk about security in terms of return on investment. This can be difficult, but too few IT departments try to do so, he said.
IT directors need to "press the right buttons" with chief executives if they are going to win approval for their projects. This means translating technical issues into a language business specialists can understand.