A key component of any Computer Security Incident Response Team (CSIRT) is full support from upper management for that team. This support includes buying in to the need for an organization-wide CSIRT, granting the required authority for the team to conduct its activities, and most importantly providing the necessary funding.
It is not just funding that is needed for everyday CSIRT activities, such as help desk staffing and forensic hardware and software, but also funding for the unexpected events that the CSIRT may encounter. Imagine a scenario in which a business has been attacked from within by an employee. In order to build a good case against the employee, it may be necessary to locate and image every computer the employee may have touched directly or indirectly. The expense associated with storing the Gigabytes of data from the imaged computers and performing forensics on them may be significant. Where will the money come from? Will the IT department have to ransack its budget in order to find the required funds?
Yes, we hope that events such as these never happen. But they sometimes do, and it is worthwhile to consider solutions to these problems before they occur, not during an incident.