Depending on the size of the organization, the person who has the most impact on driving security advancement could be a C-level or board member, but non-executive administrators and sometimes the one man IT\/security show are the people paving the path.\n\nWhoever it is, every business needs someone who makes security not only a line item on the budget but also a part of the overall culture. More often than not, though, organizations prioritize security for one of two reasons.\n\nJosh Feinblum, vice president of information security at Rapid7 said,"Companies that care about security have either a progressive leadership team that believes it is important, or it is a company that has gone through a major event."\n\nThat's why in many situations, it is no one person who has an impact as much as one event. While most executives hope that the tide is changing, "The current state is more reactive," said Feinblum.\n\nThere are definitely companies focusing on securing absent of catastrophe or regulatory drivers, but he continued, "It is frequently because they have other companies demanding it."\n\nAs a result, it is more common that a security team is advocating for some advancement for a long time. "One of the greatest issues is getting [two-factor authentication] in place. Not so much at the firewall, but on all of the internal systems designed within a data center," said Feinblum.\n\nIn addition, there are a lot of issues with network segmentation and with patch or vulnerability management, he said.\n\nSometimes it's external rather than internal forces that drive security advancements in organizations, particularly with mergers and acquisitions. Feinblum said, "They might say, we're only going to do this deal if you can get this fixed in the next six months."\n\nThe root cause of all those problems is a failure of governance. It’s a management problem, not a technical problem.\n\n\nDarrell Drystek, ISSA senior member, ISACA board member\n\nInside an organization, the executive team that really believes in and values security has the greatest impact. Without that, Feinblum said, "You are fighting an uphill battle. If they don\u2019t believe it\u2019s important, it\u2019s going to be de-prioritized."\n\nIn order to drive security advancement in any business, there needs to be a pragmatic and strong voice representing security, a CISO or senior level security person. "The savvy leadership teams are really trying to not worry about checking boxes. They are asking how do the bad guys operate and what do we need to disrupt them," Feinblum said. \n\nFor that reason, small organizations have a greater challenge. Travis Rosiek, chief technology officer at Tychon, said, "They are understaffed, and their budget is pretty small. Typically they are doing IT work and security on the side. Keeping the lights on and systems up and running takes precedence."\n\nWith a single person who is both heading IT and juggling security, there is little chance that they are going to have deep expertise across the different facets needed to reduce all risk.\n\n"The executive's job in smaller companies is fighting for the budget. Security is a fraction of the IT budget. IT is pretty small and then a fraction of that for security doesn\u2019t buy you much," Rosiek said.\n\nBut smaller organizations do have an advantage in some regard. "IT and security teams are usually strong and interdependent. When there is a crisis or something suspicious, they are used to banding together and collaborating really well," Rosiek said.\n\nAs more companies come to understand that everyone is a target, boards have become much more involved. "There\u2019s still a lot of organizations that think the threats are targeting different businesses and not them," Rosiek said.\n\nThose progressive organizations that are more mature will have a CISO or CIO that has real visibility. Rosiek said, "From a maturation perspective, when the CISO is direct report to the CIO and has an audience with the board, those organizations are definitely prioritizing security."\n\nOn the other hand, where the CISO is three or four levels down and has no visibility, they have a great challenge getting budget approval. That's why the people that want to really drive security advancement in any company need to be communicating directly with the risk owner.\n\n"Whether you're dealing with a fortune 500, mid-size, or mom and pop, the risk owner has to determine the acceptable or tolerable risk," said Darrell DrystekISSA senior member, ISACA board member, and owner DDDrystek Consulting.\n\nPeople want to feel secure, but few people want to really think about security. "We as security people have to make things simple for them. Educating them on what the value of data is," said Drystek.\n\n[ ALSO ON CSO: Where to cut corners when the security budget gets tight ]\n\n"Most business directors would never dream of ignoring risk when it comes to funds, but there is a disconnect there in terms of data," Drystek continued.\n\nThat's why the communication needs to happen directly with the risk owner. Those enterprises that understand that risk is directly connected to business are the ones that are paving the way with sophisticated security programs.\n\nFortune 500 companies usually have a very regimented structure of layers to go through before getting to the board level. Those layers of both formal and informal communication most often enable security teams to get information into the right hands.\n\n"What I use as a prod is data quality, both integrity and availability. Security risk is business risk. Compliance is a weak form of security where it becomes an insurance issue," Drystek said.\n\n"For SMBs, you\u2019re dealing with the owner or very close to the owner. It's harder to get them to pay attention unless you have the right sort of in. Data quality and protecting business plans is the in," Drystek said.\n\nWhere the highest percentage of data loss and theft is the result of sloth and apathy, said Drystek, "The root cause of all those problems is a failure of governance. It\u2019s a management problem, not a technical problem. Executive level has to set the tone for the organization."\n\nThat's why in larger enterprises, "The CISO usually becomes the person who drives both the strategy and the budget. They usually have a team," said Hitesh Sheth, CEO at Vectra Networks.\n\nIt's often seen in the Fortune 50 companies, said Sheth, that "The CISO is still heavily involved, but the board is involved as well. IT becomes a regular topic at the board of directors."\n\nWhen more stake holders are involved, "It creates more budgetary room, and more robust dialogue. It forces everybody to be thinking about the broader set of issues. If you are a vendor, there are more stakeholders that they need to get buy in from," Sheth said.\n\nThe companies that are the most nimble, that have found that balance between budget available and ability to move at speed, said Sheth, are the Global 2000 businesses.\n\n"These organizations are just the right size. They can move at speed on their own and they keep abreast of what\u2019s coming to market. They do their own research. The CISO drives security advancement with a larger team," Sheth said.\n\nRegardless of the size of any company, the greatest impact comes when there is emotional buy-in from their stakeholders. Because one of the greatest hurdles to overcome in advancing security is the perception that security is about restrictions, the security leaders need to build relationships in order to get that buy-in. \n\nHead over to Facebook to comment on this story directly.