There was a time when the IT security department had the only say in approving or denying operational requests. Risk management is increasingly in charge of how much risk is acceptable for a given operation. The challenge has been for management to understand and accept the reality that there’s almost always a chance of risk. The best organizations, by contrast, understand that reputational cyber attacks are likely to happen in the future — thus, they don’t shoot the messenger. IT security departments need to feel confident and secure in being able to deliver the potentially bad news as accurately as possible.”]
Source: https://www.csoonline.com/article/2621428/get-real-about-your-security-risks.html