While these efforts are needed, valued and must continue, the core issue is being ignored. The underlying problem is that the security executive is allowing to go unchallenged the assumption that security events are rare. In conjunction with proving valuable ROI, there needs to be an effort to demonstrate that incidents are not rare, that there is a certain "everydayness" to information security, and that the data we all strive to protect is constantly being threatened from some unlikely sources.
The security industry has seen a shift to more organized hacking efforts, while the typical end-user sees hackers as lone bad guys outside the corporate firewall. And those firewalls are tough, backed up by intrusion detection systems and other security technology that costs the corporation large amounts of money. This line of thinking lends itself to believing that the odds of a successful attack against the firm are low.
In reality, data is threatened daily by individuals who already have some level of access to the corporate network. Suppliers, contractors, business partners and, of course, employees, all browse through collaborative areas where the likelihood of stored proprietary data exists. Countless examples exist of employees who maliciously (or mistakenly) retrieve corporate data and store it on unencrypted devices or personal email accounts.
Security professionals need to continue their efforts in explaining the return on investment for information security. However, at the same time, efforts should be made to effectively demonstrate that security events occur each day in an organization and are not limited to a few incidents annually by hackers outside the corporate firewall.