The need for a unified strategy will grow more urgent. From a corporate risk management perspective, IT security is not just for keeping viruses, hackers and crooks at bay; it’s also critical in order to stay compliant with regulations, avoid litigation and indictment, and prevent escalating insurance premiums.
But if IT security isn’t integrated into an enterprise risk management strategy, CIOs and CSOs are less likely to consider the entire risk picture when they develop an IT security strategy. As a result, fundamental questions such as how much risk is acceptable are being overlooked. Integrating security and risk strategy won’t take place overnight—it’s too big a shift in how security is understood for that to happen, and requires a change not just in security policy but in security governance—but it will take place over time.