The negative sell is always the hardest to make, ”Do this to prevent this horrible outcome”. You rarely know if you were successful or not. The great leader stands on the rubble of the collapse with his call to action, inspiring the people to pull together, however, the man that prevents the collapse to begin with is never known.
It is a well worn cliché that crisis is the best opportunity. Preventing crisis, however, is no opportunity at all. Often, whether the crisis is prevented or not becomes a game of speculation. Claims of success are frequently met with incredulity; it was never a threat to begin with, it was a matter of chance, fate, you got lucky. As long as quotidian affairs continue there is very little recognition to be found in prevention.
Despite the foregoing which is all painfully obvious, many still focus on ill conceived notions like ROI for security. One should focus instead on what the true by product of information security and risk management is, to wit, survivability. A well executed risk management program permits a company to survive situations like the current one or specific freak accidents. One cannot predict the event or its magnitude, but it will arrive and those whose sole focus is growth invariably fail. The world is unpredictable and unforgiving.