Mike Rothman is right:
I'm here at the Security Standard conference and I'm seeing the pendulum starting to swing back. What pendulum? The pendulum that swings like a metronome between security as a defense and security as an enabler...
I'll make it very very clear. Security is not a business enabler. It is a cost of doing business. You cannot do new things because of security. You do open up new revenue streams and add value to customers via new applications that reflect new (or updated) business processes. It may be ill advised to put these new business processes on the web without adequate security, but you CAN do it.
In extreme cases of incredible negligence or outright stupidity, a business may deploy an exceptionally insecure application or business process that must be shut down due to overwhelming fraud and theft. Barring those circumstances, however, I agree that businesses are willing to "put these new business processes on the web without adequate security" and suck up some level of "acceptable loss."
Richard Stiennon agrees:
My perspective is that treating IT security like a business process is like treating a tactical military strike force as a business. While maintaining the capability of military forces could be a process open for improvement by applying some business discipline, actually fighting battles and overcoming opposing forces does not have much of the "business process" about it. Security is much more akin to fighting a battle than it is to "aligning business objectives".
Hopefully someone at this conference will address security as a cost, like insurance or legal teams.