What executives need to make educated IT risk decisions are security pros that understand both the technology and the nature of the business and industry they're in.
"Executives want you to gear yourself as being as responsible for the business just as much as they are. And they want you to sit down and in a collaborative way figure out how to get better security without interfering with business objectives," he says.
5. Shift to increasingly to data-based decision making
The final fix is moving from making gut decisions, working off of checklists, and blindly following best practices to more data-driven decisions. "What we are doing is playing whack-a-mole. We find the things that we are bad at (or cause breaches) and we fix it," says Jay Jacobs, vice president at the Society of Information Risk Analysts.
"The problem is that there's always something else that comes next. And the adversary is intelligent and can adapt, so they just move on [to the next vulnerability]," Jacobs says. "I think what really would be a dramatic improvement is if we start using the home field advantage that we have and start to collect the data in our environment and make sense of it," Jacobs adds.
That means better log analysis, more spending in big data security analytics, and better anomaly detection. This can give researchers more speedy insight into things that need to be investigated "I think adopting that technology would be a dramatic improvement. Unfortunately it's a pretty steep hill to climb for most organizations," he says.
Sign up for CIO Asia eNewsletters.