Security professionals should refrain from buying big-box appliances and talk to upper-level executives about making security decisions based on carefully assessing any risks to the data being protected rather than blindly defending against all attacks, according to the opening keynote at the 2013 Gartner Security and Risk Management Summit.

According to a report from CRN, Gartner estimates that only eight percent of organizations are running next-generation firewalls, and organizations that purchased those firewalls are not properly configuring them or using them to their fullest extent. CISOs might be better off addressing attack preparation, including training against an incident response plan.

A study from the Ponemon Institute says that too many security professionals rely on attack data and information about the latest security threats, and they fail to describe the business impact to upper-level decision-makers. In the U.S., some IT teams are constantly wrangling with business executives about security issues, CRN reports.

The keynote speaker, Paul Proctor, a research vice president Gartner, warns security professionals not to dwell on high-profile security attacks. He recommends that we lose the focus on security technology, instead using time with the board to bridge the disconnect between executives and the security team, working to relate security and risk to business impact.