When you present this information, give the executives an array of choices with different levels of protection -- like they'd get when choosing an insurance plan, Charette says. "Let them understand what's at risk and then let them choose how much they want to cover themselves," he says.

Doug Lewis, a former CIO and a senior partner at The Edge Consulting Group LLC in Atlanta, calls this "finding the prudent zone." He recommends adding up how much it would cost to improve security and then plotting the range of spending options on a chart. On one side of the chart is the "danger zone," where security is insufficient, and on the other is the "ridiculous zone," where the company is overspending. Somewhere in the middle, he says, is the prudent zone, which will vary depending on your industry and security risks.

"You have to explain that if you're manufacturing talcum powder, you're probably not a big target for intellectual property theft, compared to a health care firm or a bank," Lewis says. "You have to take a balanced, prudent view and not overbill the case."

Do Use Business Language

When you live and breathe security, it's easy to be passionate about things like the difference between intrusion protection and intrusion detection. But don't bring that talk into a board meeting. "You have to explain yourself in human-readable terms," Lewis says. "What the CEO wants to know is, 'Am I being protected at a prudent level, and if not, what do I need to do to get there?'"