That's 'obvious' from my perspective as an experienced information risk and security professional, anyway. Your perspective probably differs. You may look at things from a slightly or dramatically different angle - and that's fine. I see these as interesting and stimulating complementary approaches, not alternatives.
Compliance, for instance, is a strong driver in some cultures and organisations. Quality, efficiency and effectiveness drive others. Some seek to apply good practices, joining the pack. Customer-centric businesses naturally focus on customer satisfaction, brand values, loyalty etc. Startups are concerned to grow rapidly, hence anything that is or might become a barrier is a target. Government organisations, charities, professional services organisations, utilities, schools, assorted industries etc. all have their own focal points and concerns. Profits are clearly important for commercial organisations, but there are other financial measures too - and indeed many other things to measure. Information risk and security is incidental or supportive for most of them, enabling for some and essential for a select few whose business is information security, or the enlightened (as I like to call them).
So, in your own situation, consider the business perspective. What does management want/expect out of information security? Along with what they do not want or expect to avoid, these are worthwhile aspects to explore.
For answers, study your organisation's mission statement, values, strategic objectives, its marketing and promotional activities etc. for clues about aspects that involve, build upon or demand information security.
Then think carefully about all the humdrum routine operational things that also
depend on information security. Controls are implicit for financial accounting and IT, for instance. Engineering utterly depends on information integrity, and trust is a major part of almost everything. For a long time, information security has been an endemic part of business, and indeed life (check out the amazing range of sounds, smells and gestures in nature, the mimics and warning colours, the chemical messenging that pre-dates IT and the Internet by, oooh, two or three billion years).
Look towards the top of your corporate risk register for
massive hints about what most worries the execs ... and if there isn't a risk register, or if it is inaccurate, incomplete, out-of-date, biased or generally shoddy, that also tells you something about attitudes and expertise in this area - as well as being a clear opportunity for improvement.
Compare departmental budgets and project funding. What is management actively supporting at the moment and lately? How have business priorities changed over the past year or more? Which areas of the business are under the most pressure, and why?
If you can, study the exec management team and board of directors' meeting agendas for the past few months. Better still, ask those who were there about what's hot.
Step way back to contemplate what kinds of
corporate information and processes are of most value (what's critical) and what is most
vulnerable or under threat. For a healthcare company, guess what: it's probably health-related data. For a media company, maybe topical news stories and data used for historical research. Intellectual property is likely to be high on a list of information assets for creative, innovative organisations. Critical national infrastructure organisations focus on doing whatever it takes to 'keep the lights on'. Professional services companies value their knowledge, expertise, capabilities and client relations ... and so forth.
Most of all, discuss this with your colleagues and managers to validate your thinking, pick up additional pointers and garner their involvement, understanding and support. This is not a solo exercise! Risk, legal/compliance, IT, HR, health and safety and audit functions all have people who care and know about this stuff, so pick their brains to paint a better, more realistic landscape. Managers at different levels have differing outlooks and horizons ... and if they struggle to even understand the questions, let alone offering coherent answers, then you have another improvement opportunity in raising risk and security awareness.
If you're with me so far, here's a free bonus: once you figure what really drives the
organisation (or rather, its management) in the information security realm, you also
have the basis to develop an awesomely powerful suite of information risk and security metrics. Measuring 'the
stuff that really matters' trumps all other approaches, in my book. If a
given metric supports, enables or is required to achieve business objectives, disregarding it
could be career-limiting for those who have no interest or concern in this area. At the same time, key metrics showing adverse trends are a clear call-to-action and cannot be ignored. No time to waste!