So, a guy walks up to another guy who is clapping. The first guy asks, "Why are you clapping?" The second one answers, "To keep the alligators away." Confused, the first guy says, "But there are no alligators around here." And the second says, "See? It's working!"
Such is the situation that many CIOs find themselves in when selling IT security to the executive committee. "When the CIO says, 'I'd like to spend this amount on security,' it's rarely, 'Are you sure you're spending enough?'" says Steve Rubinow, CIO of FXall, an electronic foreign exchange platform. "Instead it's, 'We haven't had any problems; maybe you're spending too much!'"
The ROI Paradox. Perhaps the clearest aspect of the IT security paradox is this: "There is no easy ROI on security." And, says Rubinow, you cannot guarantee that your systems are 100% secure. Plus, security threats can be subtle, with countries targeting intellectual property, not customer data.