The board and upper level management want to know if InfoSec is spending enough money and there is a high demand to yield results quickly after an investment is made. It is a smart approach to determine the right amount and then double it.
At a high level, policies govern actions. But are you spending enough time at the policy and procedure level so that people know what to do and relate their actions to the policies? Subcommittees on risk can be valuable assets, as can solutions that provide a risk control framework.
It is an interesting approach to have a “member experience” or “user experience” group involved in evaluating security policies and making sure they enhance, not compromise the user experience. Education must also be a key focus and many organizations are stepping it up in this area by showing how not adhering to policy can impact them and their organization. Focusing only on compliance without educating and also prioritizing risk is no different than chasing your tail.