Instead of asking for funding several times a year, project the security costs that need to be incurred over a 12-to-24-month time horizon, Rhodes-Ousley says. "CXOs can swallow that more easily," he says. "If you say you need certain things next year, you can get funding more easily than saying you need something now."

At Xerox, Pantas develops a three-to-four-year strategic plan for the company's security efforts and then prioritizes which of those projects to pursue in the ensuing year. "I do work off an overall strategic plan on where we want to take security," she says.

Do Let the CXO Define Acceptable Risk

Business executives deal with risk all the time, so before forking over money for protecting corporate systems and data, they first want to know the degree of legal, financial, operational and strategic risk they're facing. Only then can they decide how much they need to mitigate their exposure and, thus, how much they want to spend.

"If the CIO is bringing concrete evidence of exposure, liability and even an actual incident, the discussion changes from 'Should we do this?' to 'How much would it cost to make this go away?'" Bomar says.