McAfee has a post about compliance not being a cost center that Mike Rothman from eIQ Networks had a lot of problems with. I fall a bit more in the middle.

First of all, it is entirely misleading to suggest that "information security compliance" is NOT a cost center. That smacks of a misunderstanding of exactly what a cost center is. Since information security compliance does not directly drive revenue (and can't be a profit center as Chris Hoff points out in the comments), then of course it is a cost center.

That said, I am in complete agreement that there are often ways to reduce costs (to optimize risk) while performing at the same level of output. Essentially, this means that it is the rare environment that is 100% cost-efficient. I can't imagine too many people arguing that one.

Of course, being a cost center doesn't preclude an organization from getting ROI from security spending, but it does make it more difficult.

I have a HUGE problem with this statement: "…a good business leader needs no justification to do to the right thing." It is so laced with b.s. that the cows are lining up in the barn waiting their turn.