Is Security about improving the operational efficiency of IT?

Just had the chance to check out Ernst & Young's 10th Annual Global Information Security Survey: Achieving a Balance of Risk & Performance. It's a very details document that has a ton of great information. What caught my eye this morning was the answers to the question:

What is driving information security?

• Compliance with regulations
• Privacy and data protection
• Improving IT and operational efficiency
  

The first two didn't really surprise me, but I found this last one really interesting. After re-reading that section of the survey I found myself re-phrasing it a little into "Improving the operational efficiency of IT." Hmmm, another independent point back to something I was pondering the other day .

These days I'm personally more focused on the vendor side of software product life cycles (e.g., design, implement, test, , feedback). With that said, this smells very similar to the role a Quality Assurance/Testing organization plays to the Development organization. While R&D is focused on understanding what needs to be built and attempting to delivering that capability ASAP, QA is always helping or sometime battling R&D with finding problems/issues/exposure points etc.

The role of security, just like QA, is not to hinder their operational/development counterparts, but to help mitigate exposure/risk in a proactive way. Bottom line, it's been my experience that it's better to find a problem early then late (major cost savings, greater customer satisfaction, etc).

I may be out in left field here but I'm simply pondering out loud the placement and priority given to Security/Risk/Compliance Management versus the overall purpose of the business.

Take a look at the survey and please throw down in the comments what you found interesting.