Additionally, when communicating to the company about the security organization's activities, it's not a bad idea to piggyback newsletters or articles onto communiques that a high-level executive is already sending out. At a previous employer, Clark contributed a monthly column to a weekly newsletter that the number three executive in the company sent out. At another company, he paired up with the CIO's ongoing communications.
"I ask the highest-level person I have a relationship with to send it out," he says. These missives are also a good way to build a campaign for an initiative for which you're trying to gain support.
7. Read Their Minds
It doesn't take a psychic to forecast the concerns and questions certain stakeholders will have--all it takes is a quick study in human behavior. "Certain individuals have hot-button issues they particularly want to dig into," Gunthner says. For instance, HR may have a particular sensitivity to certain employee relations issues, while facilities may be concerned about misplaced assets. "To know what those are and address them in advance gives you a much better opportunity to get your proposal through," he says.
8. Watch Your Timing
Timing is not always something you can control, but it's important to keep in mind that it's "key, key, key," Gunthner says. Even great projects that clearly support business strategy and promise a great return can get turned down if the decision maker is, for whatever reason, having a bad day. "You have one opportunity to get a 'yes,' so timing is crucial," he says. "If you have the ability to pick the right time to present your project, do so. This will increase your chances of getting a 'yes.'"
9. Show, Don't Tell
When presenting to the C-suite, visuals can express your ideas more clearly and quickly than words. When Clark wanted to convey risk exposure to executives at a former employer, he created a mash-up of the company's Web security tools and a spinning globe. He showed a rain cloud advancing over certain cities to show where the risk was highest. "The CEO asked if I could guarantee we wouldn't get hacked, and I said, 'Can you make it stop raining?' No, but you can prepare for the storm to reduce your risk," Clark says.
At eBay, Cullinane has developed a dynamic "risk curve" visual that illustrates the relationship between spending and risk levels. "It tends to get pushed up to the right as new exposures are found and moves down when we take actions to reduce exposure," he says.
Clark also believes in the power of storytelling as a vibrant way to enliven security exposures and successes. He has gone so far as to hire a security marketing analyst, who spends one-third of his time storytelling, whether it's to secure funding or report on ROI. This person is a creative communicator and natural salesperson who, for instance, tells executives what they got for their money, beyond standard ROI, and puts relevant context around news stories of security mishaps and explains what could reduce that kind of risk.
Sign up for CIO Asia eNewsletters.