Security in IT doesn't come for free. It always involves cost in terms of following in addition to applicance and/or license cost:
1. System performance
2. User awareness
Every type of IT security, whether it is antivirus scan, hard disk enryption or data loss prevention agent, finally ends up in consuming processing power of computer. Neither does it add any money-wise value to the business. Security program is seen as a cost center to the business.
Many times system performance hampers serious business processing leading to some or other type of loss, which is obviously not acceptable to senior management. Therefore, all initiative of security should be taken at higer management level, then only, there are high chances of security program getting successful. Chief Information Security Officer (CISO) plays a very important and vital role in explaining the dynamically changing threat landscape and the need of security program and the cost involved in it to deal with threat landscape.
Risk Analysis helps in identifying cost to benefit ratio.
It should be understood at higher managemet level that cost of not dealing with the risk is much higher and therefore they take decision to mitigate or tranfer the risk. Bottom up approach in security program is destined to failure, right at the initial stage only.
Higher management involvement is important not only for funds approval but also to understand the actual risk involved in the nature of business being done. Again risk analysis process helps in identifying that.