Risk management is a well known concept in most of the companies today. And it works, partly. The problem is that we do not talk the same lingo, and by we I mean the business people and the information security/IT people. Which is totally acceptable since we have a different task to achieve in the company. However we've come to a point that we loose an immense number of opportunities, in either business deals or security improvement.
Both are in today's interconnected world and harsh competition equally important. I've been researching since a few a months on this topic and unfortunately I cannot draw a simple conclusion. If there is one overal conclusion it is that there is no top-down approach. Boards and management do not care, they don't bother to understand technology and these IT and security whizzkids do not bother to understand the business they support.
A survey done by tripwire showed that around 60% of the respondents believe think that risk based security management helps align security with business objectives. But around 45% of the same respondents feel that there is little involvement from their organisation in aligning risk based security with business objectives.
It seems that there is will but no support, from top management side we could speak about the knowing-doing gap. These people, and this counts for government too, know that they need to do something about but for some reason they don't. They prefer to sit in the dark and wait, they hope the drifting ship is coming back on course by itself.
It will not, if you do not steer your government or your company you're left hopelessy insecure.