In a Carnegie Mellon study cited by Verizon's Hutton, it turns out that, when asked to indicate their board's three top priorities, none of Fortune 1000 respondents (0%) selected improving computer and data security. When these same respondents were asked about their prioritization of improving risk management, 56% selected this as one of their top three priorities.
By collecting information from a wide and complete set of systems, organizations can begin to analyze data to uncover trends. This information can also be used to identify patterns, which in turn could be used to assess risk, detect security incidents and suggest the likelihood of a pending attack. With an information-driven risk management program, decisions can be made based on evidence as opposed to speculation.