I'm impressed by a Ponemon Institute study into the business costs incurred through US data breaches involving disclosure of Personally Identifiable Information PII. Ponemon investigated around 80 reported braches, analyzing costs that are often hard to quantify such as customer defections. The results are fascinating: an average breach costs over $4m or ~$180 per record lost. Customer defections (and presumably a reduction in the number of new customers) are the main impact.
Incident costs within IT are negligible - the costs fall primarily on the rest of the business. In extremis, it could be said that IT doesn't care about privacy breaches. Therefore, the onus is very firmly on the rest of the business, not IT, to cost-benefit justify investment in better privacy controls. If the budget is forthcoming, I'm sure IT will happily evaluate, select and implement better privacy controls: if not, they won't. It's that easy.
This clearly demonstrates the distinction between IT security, a function sitting within IT and working on behalf of IT to secure the IT infrastrucutre and services, and information security, a function with responsibilities across the entire organization to protect information assets, not just technology.
Best of all, the Ponemon report provides useful data to build the business case for control improvements. Let's say we anticipate one notifiable serious data breach involving PII every 5 years, at $40m per incident that makes an average cost of $8m per year. So, controls costing up to $8m per year are justified. $8m would buy a lot - it's probably more than enough to implement whole disk encryption for laptops, for example. It's WAY more than enough to implement a security awareness program focusing on protection of PII.