Many business principals find the whole issue of organizational security rather esoteric and are generally reluctant to allocate resources to it unless they can see a return on their investment. At the same time, technical staff charged with managing organizational security often finds itself fighting an uphill battle because, without the appropriate resources, they can’t do their jobs. As a result, both parties fall into a reactive rather than a proactive role, responding to incidents only when they affect critical operations.
In communicating your needs to upper management, it can be helpful to discuss security in terms of three distinct stages, as described here:

• Passive. At this stage, the security team and the business principals cooperatively develop the policies and guidelines needed to protect the organization’s information.
• Active. At this stage, the security team implements the technologies needed to support the Security Life Cycle: Detect, Assess, Respond, and protect. This stage typically requires the most resources.
• Integrative. At this stage, security is an integral part of business decisions. To support the organization’s business goals, existing policies are revised and new security technologies are selected.