When Pantas discusses the importance of avoiding vulnerability in software code, for instance, she doesn't go off on a tangent about not doing cross-site scripting, she says.

So instead of saying things like "threat detection," "encryption" and "data protection," use terms like, "exposure," "indemnity," "protecting the brand" and "effect on market cap," says Tom Scholtz, an analyst at Gartner Inc.

For instance, if your company just launched a branding campaign for its product or service, brand protection is a relevant justification for security spending. "You say, 'You guys spent US$200 million last year on branding your credit card as the cool card to carry around, and one story in The Wall Street Journal can bring that all tumbling down,' " McGraw says. "Then, if someone says, 'Why did we install that expensive apparatus?' you can say, 'Because we're protecting the brand.'"

And you had better be able to state your case in an "elevator speech" -- a concise, compelling argument that can be made in less than a minute. "What's that one message?" Charette says. "They don't care about the different levels of encryption -- they care about the harm it will keep the company from suffering and how much it's exposed in the different scenarios."

Don't Use ROI Arguments