My last post Forget ROI and Risk. Consider Competitive Advantage seems to be attracting some good comments. I thought it might be useful to mention a variety of ways to justify a security program. I don't intend for readers to use all of these, or to even agree. However, you may find a handful that might have traction in your environment.
  1. Crisis. Something bad happens. Although this is the worst way to justify a program, it is often very effective.
  2. Compliance. An external force compels a security program. This is also not a great way to justify a program, because resources are often misallocated.
  3. Competitiveness. Please see my previous blog post.
  4. Comparison. If your company security team is 10% the size of the average peer organization size, it's not going to look good when you have a breach and have to justify your decisions.
  5. Cost. It's likely that breaches are more expensive than defensive measures, but this can be difficult to capture.

The link for this article located at taoSecurity is no longer available.