I'm pro-"when".

The reasoning is that if you propose security to the business as an "if" case, the answer is always, "no, that will never happen, because we're not a target - we don't have any enemies". Management doesn't understand that it's not a personal issue, that hackers can run automated attacks against anonymous targets, and desire either information or resources.

Meanwhile, the IT approach is "if we firewall it, then there's no hope". Except things end up not being firewalled. Or the firewall goes down. Or the firewall gets hacked. Or whatever port is opened for the firewall gets hacked. Or someone VPNs in. Or a third party integrated data source is hacked.

So, forget "if". Make it "when". What did we have in place to show that we did what we could to detect the intrusion quickly and minimize what could be siphoned out (with development, duh!) What do our contracts / policies entitle our clients to? Where's our backups if things get serious? What are we going to do?

Of course. Few ever do. Though Australia just released new privacy policy legislation so that companies who didn't make any effort to secure their data are going to be in BIG trouble. Of course, it's going to take a few to go down in flames before the rest start investing in fixing all of the past hacks they've done to get around doing things properly.