I'm always on the lookout for good graphics to use in presentations about security. I recently came across EIQ Network's recent small survey on "What Keeps IT Pros Up at Night?" that reported roughly equal fears of experiencing a breach and failing a security audit - realistic, but still kinda depressing to me.
Failing a security audit doesn't damage a single customer, causes minimal business damage. Experiencing an actual breach can damage millions of customers and causes enormous, career-altering damage to the business.
In a larger SANS survey looking at the adoption of the Critical Security Controls, SANS found that the largest motivation to focus on the Critical Security Controls was to reduce risk (80%) while nearly 40% of adopters were doing so to simplify the effort required to satisfy multiple compliance regimes - a much better balance between "Protect the Business" and "Satisfy the Auditors."
The EIQ survey did show that 20% of their survey respondents are moving to implement the Critical Security Controls, and included that in the graphic below.