At this week's Security Standard conference in Boston - which was hosted by Network World and other IDG publications - speakers talked as much about the business of security as the technical options and details.

All agreed that security is now standard fare in boardroom discussions. "Board involvement has changed dramatically," said John Schramm, senior vice president of enterprise information security for Fidelity Investments and a panelist in one session.

"They want to know about the biggest risks, what we are doing about them and how they can help," he said.

It's no wonder, agreed panelist Tom Bowers, manager of information security operations with a Fortune 100 pharmaceutical company that didn't want to be identified. Security breaches have put some companies out of business and deflated the stock value of others by 20% to 40%.

"Up until a few years ago security was reactionary," said panelist Scott Blake, CISO for Liberty Mutual Insurance Group. "Something bad would happen to a company, and it would decide it couldn't allow that to happen again so would spend some money. Now we're all trying to get out ahead of things by making investments."

How do you justify the investments? Many speakers at the event were down on using ROI.

ROI works for things like antivirus tools, Bowers said, but you have to know the value of what is at risk and be able to measure that: "We have PDAs all over the world with corporate information on them. What is the value of that information and what is the risk?"

That sentiment was echoed in another session featuring Lawrence Kinsella, CFO for BT Global Financial Services, which operates a managed extranet for financial firms. "We don't do true ROI analysis on security. The most important thing to a company like ours is our reputation. You can't put a value on that," he said.

Kinsella shared the podium with his company's CSO, Lloyd Hession, who said you can either accept risk, mitigate it or assign it to someone else, but you will always face risk-reward trade-offs.

Issuing a router patch to 20,000 devices, for example, could be riskier than not patching, if the vulnerability has yet to be exploited in the wild.

Speaking of patching, Ben Fathi, corporate vice president of Microsoft's Security Technology Unit, told the conference crowd in another panel discussion that Patch Tuesday won't go away with the arrival of Vista. "Software is complicated," he said. "But hopefully, the frequency of the patches, the urgency of patching goes down."