The prime challenge is establishing the right balance between ease of access for authorised users and the appropriate level of risk mitigation. Securing information in a lab environment is really easy. Going crazy with access controls may reduce the risk but is likely to result in a poor user experience.
Phrasing information security requirements in terms of risk enables the security professional to communicate effectively with the business owner – without their buy-in you will fail to achieve effective security. Effective security enables you to do more with less risk as you clearly define what you WANT to happen, identify the high value information assets and implement controls to mitigate the risks you are uncomfortable with.
It is vitally important to clearly communicate with the information users too as their role in information security is often over looked. Technology is only effective when combined with informed people and meaningful processes.