A recent report found that the top driver for implementing a risk management program is to meet regulatory compliance requirements. Fewer than half of respondents cited the general threat landscape or an interest in getting in front of attackers. Many organizations are doing only the minimum of what needs to be done in order to pass the next audit and to be able to show management that their IT systems are compliant. How do security professionals get the business to not only care about IT security risks, but also understand the business consequences of accepting too much IT risk?”]
Source: https://www.csoonline.com/article/2134077/thinking-outside-the-it-audit–check-box.html