The purpose of Information Technology is to make the right information available to the right people at the right time.
The traditional approach to information security is the “no you can’t” syndrome. It's much more effective to define what the business actually needs and implement controls / raise awareness to prevent inappropriate flows of information.
Many business leaders see “security” as “pain” hence they appease/circumvent it yet to be effective these people need to be “on board”
Start by working with business leaders to understand the risks faced and opportunities to increase profits”
Take proactive steps to enable your business to do more with less risk by implementing the appropriate controls. Information Security should be an asset to your organisation whereby processes, procedures and technical controls enable you to reduce the risks you agile business faces.
PingBack from http://geeklectures.info/2007/12/17/where-to-start-with-effective-security-why-do-we-need-it/
Thats why, security is known as a top-down approach. Until management is not aware and they dont feel, security will not be implemented to grass-root level.