Most organisations have at least three primary resources - money, people and information. I have always found it strange that people accept the procedures and controls imposed on the first two, but typically resist any attempt to implement similar processes for information management and security. And quoting good practice or horror stories rarely changes their minds.

IT consists of two words - 'information' and 'technology', and I think there is too much emphasis on the latter, at the expense of the former. The technology is usually viewed as a cost, and organisations normally attempt to minimise their costs. If information is treated as an asset then typically it has a value, and if it has a value then management will want controls. So focus on the value of the information to the organisation, and the costs which would be incurred if it were unavailable.