A personal take
"And Cisco reckons plenty of security bods will be in another job in five years"
Not this one, no siree! I shall be retired in five years if I have anything to do with it (the Equitable Life pension fund disaster notwithdstanding).
As for 'selling' the idea of security, I've found the following to be reasonably effective:
Your staff are paid to perform work for your organisation. Appropriate security protects their work from being lost to your organisation, corrupted or stolen by competitors. And if your staff's work is not worth protecting, why are they being paid to do it?
And no, security should not be invisible or 'transparent'. We may live in 'the global village' but we still lock our doors when we go out, or go to bed. We want police officers on the beat to provide visible security.
For IT security it is really worth knowing which malware your firewalls are trapping - if you don't check then maybe they aren't actually trapping anything.
The real problem with senior management on security is their policy of "fix on fail". They will only fix something that is wrong if it has failed, either for them or for someone else. Try getting a new preventive measure through that costs money before any actual exploit has happened (and no, I don't mean patches for newly discovered vulnerabilities in software, there have been lots of reports of zero Day attacks for management to hear about to motivate them).
Most domestic burglar alarms are sold to people after the break-in.
And with the Cloud, and virtualised security features: we've got two firewalls and a DMZ with the MTA and web hosts in it. OK so it is all running on one box with one comms cable and VPNs providing separation, but virtualisation is so much cheaper and more easily scalable, so that's alright then, security saving money, innit?
<and B R E A T H E >