Selling security to management has become easier because of issues such as privacy threats and data piracy, said Terri Curran director of information security at Framingham, Mass.-based Bose Corp. "In a sense the road has been paved more for us" by such issues, she said. "Management knows they've got to have security."

The problem is that security managers often tend to understand technology issues better than they understand risk management, said Jack Jones, chief information security officer at Nationwide Mutual Insurance Co. in Columbus, Ohio. As a result there often is a misalignment with business goals, he said.

"Perfect security is not achievable," Jones said. "At the end of the day, [the security function] is about managing the frequency and magnitude of loss."

Being able to do that requires security managers to do a better job of taking technology issues and putting them in a business context, he said. "That's a significant problem for us," he said. "As long as we have a misalignment between the two, we have a challenge."

Increasingly, the goal isn't about information security but about information assurance, which deals with issues such as data availability and integrity, said Jane Scott-Norris, CISO at the U.S. State Department. That means organizations should focus not only on risk avoidance but also on risk management, she said. "You have to be able to evaluate risks and articulate them in business terms," Scott-Norris said.