Getting management buy-in to IT security

IT security and computer audit professionals will be familiar with the problem of trying to persuade a sceptical manager that he or she should spend money on IT security precautions. Because few meaningful statistics are available about security breaches, it will always be difficult to demonstrate the tangible benefits that are required to cost-justify expenditure. The need for adequate investment in security precautions should be obvious to the reader. Yet for some reason this message does not automatically qet through to general management. Unfortunately the problem is not simply a lack of persuasion or influencing skills on the part of the security staff, although this may be a contributory factor. Instead the problem is the result of a number of issues relating to the organization’s security culture.