I liked the way Jeremiah Grossman listed five ways to justify security spending:
1) Risk Mitigation
"If we spend $X on Y, we’ll reduce of risk of loss of $A by B%."
2) Due Diligence
"We must spend $X on Y because it’s an industry best-practice."
3) Incident Response
"We must spend $X on Y so that Z never happens again."
4) Regulatory Compliance
"We must spend $X on Y because PCI-DSS says so."
5) Competitive Advantage
"We must spend $X on Y to make the customer happy."
Jeremiah expands on each in his blog, which makes for good reading.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.