How can Risk Management be promoted and highlighted in a company?

“Hi .., This is a tough question... There are multiple facets of a correct approach, and unfortunately there is no silver bullet... First of all let's underline the options which create negative opinion in upper management on information security: 1- Many managers assume that security (and the security budget) is overrated. If the Information Security team is perceived as "exaggerators" the whole credibility is lost. Being honest and realistic is the best way. Never choose the FUD play. Instead be the down to earth, cost saving person. Tell them how hard you are trying to cut costs. And the risks that you are accepting as a company,, 2-As stated in other answers if the source of the security initiatives is the internal team members, credibility and the adaptation risk management principles are lower. Trusted 3rd parties always work... For example, if you invite a C level exec to a security workshop or a security conference, the executive will probably be in defensive mode to accept new ideas, since all events will be considered as a "brain-wash" sessions. Instead, security information should come from unexpected 3rd parties at an SOA conference, Golf course, Green Data Centers whitepaper, or on the Wall Street Journal... This makes the real effect. Management should feel like they have figured out the importance of security. 3-Security is not a problem, and naturally when you present it as a problem it is not positive. Security is a part of business process: You have your assets to run your business, and you have some risks that may affect your assets... Security should be presented as a base for running business. You have a delta between your existing risks and safeguards, how you answer to close the gap between risks and safeguards is a management decision. It is not a problem, but all key stakeholders should understand their responsibilities... 4- Underline the other benefits. Security may certainly be a competitive advantage, as a sales tool. Think about millions of manufacturing companies with ISO 9001 certifications...This is not just because these manufacturing companies believe in quality management... Risk Management can certainly be a sales tool when used properly. Any growth oriented organization will recognize the benefits of a "Risk Aware" certified operation. Or talk about documentation... Verify if you had any documentation before the security initiatives, and the merits of good documentation 4-Play the ugly side... Ask for how much was spent on security and try to measure improvement. If your organization does not have security management program, they are probably not measuring security that means they don’t know what they are spending money on... Ask the question, why are they spending money? Ask them to stop spending completely because it is non-sense... Or ask them to build a security management program where they can measure and improve security. The moment your organization start measuring then all parties will understand what is at stake and where the money is going... That is a good highlight... 5- Sometimes it is not all about security, or security risks. Talk about availability... In today's world, we are connected, the security infrastructure is interconnected and it is usually inline... Poor interest in information security not only means breaches but downtime... Downtime is hard cash dollar lost. Underline risks, and underline how these risk can be mitigated.. 6-Don't use poster statistics like FBI survey, or TJ Max, They already know about it. As key information security stake holder, start sending out managed risk memorandum of understanding letters to other stakeholders. Tell them as a cost-cutting feature you are accepting the risk of ..... And ask for a sign-off.. Tell upper management that in order to save money tactically, accepting risk is their best option. Also discuss about the strategic options like controlling the risk in a structured approach. Compare benefits..”