This could have resulted in leaked information on organizational changes or planned acquisitions, but by making a small investment in a malware product, the exposure could be drastically reduced, he says. Cullinane also recently made a large investment in intelligence information to focus on major sources of fraud. "It was essential in arresting individual fraudsters and kept our fraud rate down 100 percent more than the investments we made," he says.
Ideally, you should show the investment will close a hole you have in your organization that has resulted in a security lapse tied to a financial loss. If you can't pin it to an internal event, show what happened in another company, preferably in the same industry.
"It shows it's not pie-in-the-sky but can and has happened, and therefore there's a risk that needs to be remedied," Gunthner says. "That makes it much easier to sell."
Present your request for funding in what Cloutier calls "a risk-informed manner."
"Everything can't be important, so we have to show what's important and why," he says. Cloutier works closely with the financial organization to create models of risk impact--how it affects investments, revenues or business-unit financial models--and probability, based on comparisons with others in the industry.
"We use a lot of financials because we're a financially focused company," he says.
2. Show the Business Link
Even if you can't get hard numbers, be sure to request funding only for initiatives that align with current business concerns, Cloutier says.
For instance, if the current business concern is top-line revenue, how can you help do that faster? If it's closing the sales cycle faster, what program can you initiate to speed that up? If the concern is expense reduction, what can security do to reduce fraud and waste?
"If you can articulate that and show a direct link--not just a speech that points to something, but actually show a link--that gets corporate leaders behind your efforts to support them in reaching their goals."
3. Watch Your Language
You won't get far in your spending requests if you don't tune your message to the audience, whether you're presenting your case to the executive board, the IT group or the mailroom staff.
"You should constantly be shifting gears in the way you talk to various prospective customers," says Jason Clark, chief security and strategy officer at Websense, a security solutions provider. "IT cares about operational details, but that's not the same conversation you should have in the boardroom."
Alan Nutes, senior manager of security and incident management at Newell Rubbermaid, echoes this advice. "If you're talking to senior management, use C-level words," he says. "A security professional might say 'loss prevention,' where a C-level [executive] will understand 'asset management.'"
Sign up for CIO Asia eNewsletters.