Two Things that Everyone in Infosec Agrees With: 1. They should never, ever have to justify themselves to the business with a ROI case; 2. They need more money from the business and don't understand why it is so hard to get.