Security professionals are generally good at communicating the business value of things they do that are important but not necessarily strategic. For example, compliance and cost dont always communicate their strategic components, such as risk and enablement. Security risk is not synonymous with threats, vulnerabilities or exploits, as much as we love talking about those things. The proper definition of risk is the likelihood that some threat will exploit a vulnerability, along with the magnitude of the business impact if the event actually occurs. The goal is to manage security risks to an acceptable level, within the managements appetite for risk.”]