Where do you start to improve your security? With the cause or the effect?
As organisations identify security improvements to better protect their assets, they also realise that scarce resources can only be used once; to improve performance, or to reduce risk. Although sometimes you are lucky, and both can be done at the same time.