How IT Professionals Approach Security Risk

Security is one of those things that all companies say they know is important. Systems need to be protected. Business operations need to understand and make decisions based on the risks they feel they can bear. As noted in a previous PCIS post, Outsourcing Security for Companies of All Shapes and Sizes, whether or not that translates into really making it a real priority depends on the team of stakeholders in charge of deploying it.
I had the chance to speak with a number of people responsible for the IT aspect of security in their organization and got some pretty diverse answers. For confidentiality, I have altered the names of my contacts.
"Bruce", IT director: "I recognize the risks of not conducting an web application assessment or code review prior to production but our main priority is to get our the application up. Development has already been delayed. In a ideal world, I would to do this prior. Once the site is open to the public eye, I would have a better case. Your assessment, will provide me with the concrete evidence I need to justify to myself and my executive team the need for security enhancements which I can take back to my developers to complete. Fortunately, there hasn't been a serious issue before."
This organization is very pro-active about their security, we helped them benchmark their IT security posture and they created a response process and document to take it a step further. As with anything else, there is always the challenge of managing time, budget and risk. So for this IT manager, the calculated risk of exposing his site, enables him to meet deadlines. As well, the benefits of testing his live site gives him hard evidence for something more tangible.
Later in the day, I spoke with Ethan, a security and risk governance evangelist who also shared his challenge of getting team buy-in. Again, IT and development main pressure is to get their applications and features up to support functionality for their large customer population.
"Ethan", IT Governance: "Security is critical to our business! We cannot afford loss in consumer trust or confidence. Remember, I am on the governance side, so I know what's at stake."
I could here both excitement and frustration. Ethan is one of those guys trying to implement change. He continues:
"Ethan", IT Governance: I am ashamed to admit that our applications are released into production in this state. I am trying to build more rigor into our SDLC but this will take time and education. I am trying to figure out the best way to introduce these concepts to our development team who are under deadlines."
Actually, Ethan's organization takes security extremely seriously. They regularly conduct vulnerability assessments, penetration tests, and code reviews. Ethan, is looking to improve his system by making sure that this happens prior with every code review, platform, application change to the environment. Aside for his internal team of security staff, Ethan regularly works with more than one third party assessor to ensure greater checks and balances.   
Like any other IT initiative, managing IT security is an evolving work in progress.