OK CXO, does this incident convince you of the need for security???

A friend called me today to ask for some help.  Turns out a contractor he let go came back in through a backup service account and wreaked havoc on the network.  And to add to the headache, the contractor deleted the event logs.  There is a log management / SIEM (security incident and event management) solution installed, but my friend is not sure if he had enough logs getting pushed to it to give him enough evidence.  And even if he does have the right logs pushed, he may not be able to use the logs he has since the SIEM product he has in place is very poor in the forensics category (it trashes...errr, normalizes logs to a high degree - no raw logs available).  My company can do some forensic work for him to try to help, but even the experts we have can't pull admissible evidence out of thin air.

I say all of this because this friend has suffered for some time from a lack of tools.  His budget gets cut continually, and he can't get the management to commit to helping him out.  And this comes directly from the inability to sell security at my friend's company.  My friend is very detail oriented and does a wonderful job at selling his projects.  I have been with him when he is doing it.  I have helped him with the presentations.  This is not an area where he is weak.  The problem is that the management just will not be convinced that security is needed to the degree that the business demands.  And now they have suffered for it, and my friend is having to pull every trick in the book so he can hopefully prosecute this scum-sucking guy who was pissed that he was let go.

I have talked many times about securing your business based on your business needs.  Business decisions have to be made.  But in this case, business decisions were made by poor decision-makers.  What's a security person to do?