Investment in information security – value add – becomes evident when you benefit from the – trust, confidence and business value – you’re “selling” to your customer base, stakeholders and investors, for the service offering you’re providing.
In so doing also shows due care on your part towards regulatory and standards bodies, which otherwise could bring about unnecessary media exposure, fines or even criminal damages for the lack of adequate protection (breach of privacy and confidential information).
That being said, as long as information security resources are used responsibly, appropriate and proportionate to the information being secured then return on investment should be realized.
Regular feedback to customers, stakeholders and investors regarding the benefits of investment in information security – instills trust and confidence, and promotes business value.
* Members of the board, stakeholders and investors want to see the “business value” as it relates to assets, liability and business strategy, etc.
* Regulatory and standards bodies want to see actionable, reliable and measurable compliance objectives, etc.
* Customers want to see informative and “plain language” – actions speak louder than words” – included in advertising, news updates, etc.
source : security forum