Re: Bigger than IT alone
@tsdoaks: That's excellent advice, and I think for many CIOs and IT execs the CFO is probably more likely seen as someone to steer clear of rather than work on having in your corner.
Makes perfect sense, though, as does your insight into approaching security from a pure business standpoint. There is a body of research, in addition to information about breaches at your competitors, to draw form in building the business case for security expenditures.
Making that business case can be challenging for some, though. As you rightly note: As a CIO and CISO, it's important that we are able to articulate that clearly and persuasively enough that it doesn't smell like another IT expenditure for the sake of IT.
Does it help, then, for a CIO or CISO to have had some training in a business program? I'm not suggesting a full-blown MBA, just perhaps some targeted training that might help in this regard. What are your thoughts on that idea?