The role of the business manager
Business unit managers have a critical role in computer security. If this is you, then you are the resource owner. The IT staff can never understand how important the information stored in a computer is to the business, because they cannot fully understand the business. Only a business person can judge just how important a set of data is to the business operation. And only a business person can judge the importance of the threats to that data. The people who are involved in security (such as the CSO) and the people who are involved in the technology (IT) can provide the business resource owner with information and guidance. But they should never have to make the final decision. How much security is enough? That depends on the value of the information and the risks. And those are up to you.
The process by which you dictate the appropriate security investment is called risk assessment. If you are in a large organization, this is what the CSO is asking you to do. If you are in a small or medium-sized organization, you need to take this bull by the horns yourself. Clearly, assessing the value and risks of information assets is a key business skill in the twenty-first century.