My thoughts on the CISO situation have created some questions - it seems that I was a bit vague in some of my discriptions. Even Mike Rothman had some comments (which put it far more eloquently than I could have). So, even though he explained it well, I thought I'd elaborate a bit with a comparison to one of my favorite markets - Quality.
In the 60's through the 80's, product quality was looked at as a tactical issue - we fix quality when the product goes bad and customers are either complaining or we're getting bad press. Basically, quality was a corner to cut unless there was a reason not to - it wasn't a function that was seen as enabling the business to succeed (i.e. "strategic"). You did quality to keep from failing, but it was viewed as a "necessary evil", and a tactic to adopt when things were going bad (either do more or less depending on the current situation).
Then, in the late 80's and early 90's, the general business community realized what Deming and the Japanese had realized all along - that quality was "free". That is, the money spent on quality almost always returned more than it cost. It was then (and only then) that you saw quality become viewed as a strategic function - that is, that quality was something that the CEO talked about as part of his business strategy for making the company successful. The earliest ones were Larry Bossidy (Honeywell) and Jack Welch - they made Six Sigma a significant part of their corporate strategy (even talking about them in the annual report).
What I'm suggesting is that risk management is the same thing - today, we do security very much for the same reasons you did quality in the 60's and 70's - it's a necessary evil. But recognizing that doing risk management right is always free is something that's still going to take a while.
But it ultimately is free. "Risk management" can be viewed as a very strategic function - "eliminate those risks that are going to cause us to lose money". In that way, they align fundamentally to the core function of the business ("make money").
For example, I have seen many companies invest in (for example) a very complex intrusion prevention system. The system costs $1M/year to maintain, and $2M up front. But (in one case) they're only losing about $500K/year to the intrusions. So, they've spent $3M to save $500K. (Which is, of course, the definition of "spend like a drunken sailor" as Mike Rothman put it). But they did it because the security people are thinking about "how do I best keep us secure" rather than "how
do I make security something that helps make us money".
That's probably the best definition, after all this rambling - it's all about vertical alignment. Each department that acts mainly in service of its own objectives is not acting with appropriate strategic focus - they're not aligning to the business's outcomes.
Risk management (across the enterprise) needs to align that way - spending $50 to save $5 just doesn't make any sense anymore.