To explain the return on investments made or to be made in Information Security to other executives in the organization is not a very easy job.  It will be difficult to quantify the return.   Some risks cannot be assessed also and may remain unknown till an incident happens.  Unless an incident occurs,  benefits of investing in risk mitigating measures may not be evident.   However, CIOs should assess the risks, should know how these risks can be avoided or mitigated and should explain to the executives in business terms (using the language that they understand) the possible outcome of such risks and how these risks may affect the organization and the extent of  losses to the organization from such risks and show a comparison of the amount of investment required to prevent such losses.  It is something like selling insurance.  In some cases,  documentary evidence also can be produced.   One example is spam protection for mail.   Prints of logs of blocked messages can be taken and shown.  Limitations of risk mitigating measures as far as known should also be explained in clear terms before and also after the investment is made.   Every organization has its own ways of working and customization of security systems implemented is essential.   IT Policies should not be determined by IT Department alone.  Security Management Team of the organization along with the Board of Directors should be involved in policy decisions although IT should take the initiative and suggest measures to be taken.  This gives an opportunity to the CIO to explain the measures to be taken in simple language such as why something should be blocked somewhere to prevent something from happening.   The Team which will be involved in the policy decisions should be sworn to secrecy and should be bound by non-disclosure terms. IT these days is so interlinked with all the business processes that even a break for a few seconds is not permitted.  This is an opportunity for us.  The more dependent the organization becomes on IT systems, the more the organization will realize the need for protection of IT systems and data.   As IT Governance is becoming a part of corporate governance, the situation is further improving.