Please read A Simple Rationale: Risk Management (and IT Security) for part One.
So, IT Security is what happens when we successfully manage our risks. Plain and simple.
That doesn't mean that predicting the world itself is plain or simple, just that if we can figure out how to manage our risks effectively, guessing wrong hurts a whole lot less.
Where that can translate into an upside benefit isn't always clear, but here I think our previous skydiving example still serves us well.
Some risks are obvious game-enders; all wearing a parachute does is get you in the game and out the airplane door (At least, I'd hesitate a good long while without one), but it's the inconspicuous backup chute that gets you down to the ground in one piece when things get complicated.
Ever heard of that guy that's always the first one out of the plane? The wreckless maniac? Yeah. You can be sure he packed his own backup chute... and checked it three times. He's done everything within his power to limit his losses, so there's nothing to slow down his decision to jump. He doesn't fail to commit. He's already out the door. Oh, and by the way, only 1 person gets to jump today; the rest of you can go home.
I don't know about you, but it's happened to my business before; you rarely ever get a second chance to regain a lost opportunity. If you've missed the jump zone, it's a long flight home. Better luck next time; next time, hopefully, after you've addressed your risks and can commit to a clear decision.
Sooner or later, we'll all invariably make a bad prediction. The difference is this: with good risk management it will be a mistake we can survive. And that's what long-term business success is really made from, surviving the mistakes that we need to make, in the course of exploring alternatives and ensuring there isn't a better path to achieving our goals.
And if we don't find that best path, our competitors probably will. And that, I'd say, is clearly a risk that needs to be managed.