Security risks are rising in the enterprise, and so is the need to present a united front in managing those risks. More than ever before, IT executives must be able to express to the business the value in security spending, writes Erik Bataller, a senior security consultant with the risk management consultancy Neohapsis.

Putting a dollar value on security measures is inherently difficult, but it has been shown that organizations that are better at managing risk have better financial performance than those that don't, Bataller writes in a long post at InformationWeek. To succeed at risk management, a company needs to have an overall strategy in place. Bataller outlines eight steps toward creating a thorough, risk-oriented approach to security.

Typically organizations experience a combination of complaints before moving toward a risk-oriented strategy, Bataller writes. There are failures in communication, turf wars and power struggles. In particular, a lot of time can be wasted when the security, compliance and operations groups battle for power and dollars.

"[W]e often see information security and compliance positioned in a manner that virtually guarantees conflicts of interest, and as physical and logical security continue to merge--for example, as badges and computer credentials are linked--there are bound to be questions of who's responsible for what," he writes.

To start changing this unproductive dynamic, Bataller suggests that as IT executives shift from a tactical security approach they should broaden their scope to encompass not only information and technology risk, but also compliance and operational risk. 

For more:
- see Erik Bataller's post at InformationWeek

Related Articles:
Orbitz CISO's advice on managing vulnerabilities
Privacy, security legislation coming in 2011 could affect enterprise IT
Major security bungles of 2010