Security leaders need to examine their business model, document risks, and develop a strategic plan to address those risks.