The article in the link below discusses "what to do first" when you're concerned about security. It's not a surprise that they quote a Forrester report, one of the many that show "Training" is one of the best investments for improving security and preventing data breaches.

Click HERE for the article.

Pharmaceutical giant Eli Lilly is a perfect example of a company that had to experience a major security breach before there was enough internal support for taking security seriously. In the above article their Chief Information Security Officer (CISO) insistst that education and awareness is the first step in gaining support for an effective security program.

To quote the article:

Adrian Seccombe, chief information security officer and senior enterprise information architect at pharmaceutical giant Eli Lilly, and board member of security body The Jericho Forum, says: "Those organizations which have not had a breach yet will find it quite difficult to get the amount of political will and energy they'll need to actually make sure that privacy awareness is more than just skin deep in their organization. It needs to be built into the muscle."

So, don't wait for the worst case to happen just to have the evidence you need to justify starting a corporate security program. Start by using these kinds of stories to build a case for doing security awareness training. It's not only the best return on investment, right off the bat, but as awareness grows, so will support for a more structured program throughout the organization.