Hi, I was wondering if people had any experience/thoughts on presenting ITSEC to high management. I.e. Why is security good for the company, why should there be a good security policy and why spend money on something that doesn't directly bring profit? Why comply with BS and ISO itsec standards? Or even "why hire security professionals", spend money on certification etc.?
Any thoughts, pointers to existing material on the subject (academic papers etc.)? Mat -- Matej Pfajfar