IT security is a cost center but so is:
Malware, ransomware, and viruses
Downtime created by malware, ransomware and viruses. I know of situations where internal IT teams had to wipe all of the computers because the network had ransomware on every Windows device on the network.
Lack of email hygiene
Spam and phishing emails can be filtered out with spam filtering tools in front of the network. Reducing phishing emails reduces the likelihood of employees downloading malicious payloads.
How many man hours does it cost to recreate the data? How much time have your employees put into creating data, only to have it lost because of ransomware or improper backups.
Your employees spend vast amounts of hours creating company data, specialized knowledge that can easily be stolen if your network is breached. Further, you can spend money on Data Loss Prevention (DLP) tools to see where your data is going.
So sure, IT security is a cost center, but can you afford not to have IT security? I think it’s an expense that you need to have on your balance sheet.
Here is a nice collection of stats on IT security if you want to drill down on the true costs of not spending money on cybersecurity: https://www.varonis.com/blog/cybersecurity-statistics/