Regulatory compliance issues and concern over data compromises have brought information security issues to the forefront in corporate boardrooms, according to a panel of I.T. security managers at the Computer Security Institute.

That trend is forcing security managers to adopt a more business-oriented approach to creating security strategies.

Selling management on the need for information security has become easier for I.T. managers because of privacy threats, data piracy and other issues, said Terri Curran, director of information security at Framingham, Mass.-based Bose Corp. "In a sense, the road has been paved more for us. Management knows they've got to have security."

However, security managers often tend to better understand technology issues than they do risk management topics, said Jack Jones, chief information security officer at Nationwide Mutual Insurance Co. in Columbus, Ohio. As a result, their efforts are often misaligned with business goals, he said.

"Perfect security is not achievable," Jones said. "At the end of the day, [the security function] is about managing the frequency and magnitude of loss."

That goal requires that security managers do a better job of putting technology issues into a business context, Jones said. That's a significant challenge for security officers, he added.

Increasingly, corporate security goals aren't about information security but about information assurance, which deals with issues like data availability and integrity, said Jane Scott-Norris, chief information security officer (CISO) at the U.S. Department of State. Thus, organizations should focus on risk management as well as risk avoidance. "You have to be able to evaluate risks and articulate them in business terms," Scott-Norris said.

Jennifer Bayuk, CISO at New York-based Bear, Stearns & Co., said that it's also important for security managers to demonstrate their value to an organization especially because security is often seen as a cost center offering little return on investment. "If you can't demonstrate what you are doing, it doesn't count," Bayuk said.

Looking ahead, Bayuk predicted that CISOs will have two distinct career paths: a technology-focused position that reports to the CIO, and a business-focused role that works with chief risk officers.