Lauren, as a CTO in a knowledge based organization, this is a topic close to my heart. For an organization to thwart 90% of the attacks that are made on it's knowledge resources is the easier part of this task. What worries me is the 10% of attacks which require more and more resources to prevent.

As organizations grow in scale, their infrastructure however does not keep pace. Often the CFO and the CTO are at loggerheads ... why spend that additional million on network equipment/security consultants when that could show up as pure profit?

I doubt whether analysts even stop to consider information security within an organization as a parameter to evaluate the company's health ... even though infosec is an obvious health metric. Can something be done about this?