As an executive you expect your security team to provide recommendations for how to reduce the risks associated with use of technology in your business. The question is, have you given them enough information to succeed?
One client told me the only benchmark their security team has from the top brass is "Keep us out of the news." Anyone else see a problem with this statement? I personally wouldn't mind seeing Integrity featured on local and national news every night, as long as it's good news.
You get the point though. Not providing security professionals with an accurate picture of your willingness to tolerate risk forces them to be ultra-conservative. They aren't mind readers. If you give them a picture of the types of risks you are willing to take and the amount of loss which is unacceptable, they can be much more prepared to make recommendations which fit your organizations profile.
If you say "We can't lose patient data" that's pretty broad. Does this mean even one record? Does it mean we can lose records as long as it's below the mandatory reporting threshold? Those details help define the pain points which security can manage to.
Hopefully your team understands the "grey areas" of security and helps you navigate the waters. If not, call them in and discuss some of the pain points. What's an acceptable loss? What would sink your company?
Armed with the right information on risk tolerance levels, information security pros can work wonders. But they need knowledge of the business that only you can provide.