Investing in security rarely yields a return on investment, so promising an ROI will sound ill-informed to a senior executive. "You really have to talk about it from an insurance perspective," Pantas says. "It's more about cost avoidance or cost of compliance; there's very little in what we do that's relative to gaining ROI."

It's possible to discuss other benefits of security spending, such as protecting the company's ability to generate revenue, keep market share or retain its reputation. But ROI relates to expanding revenue and profits, "and security isn't about that," Charette says. "Trying to sell it as if it's a revenue generator is a good way to have the board say, 'Are you nuts?'"

Do Report on Benefits From Past Spending

Before asking for more security funding, make sure you close the loop on your previous spending by regularly updating executives on the results of those efforts. This means regularly measuring things like how many malicious attempts were stopped at the firewall or how quickly incidents were resolved and summarizing this data in a meaningful way.

Pantas has her team conduct regular audits on network attacks, providing her not only with an idea of where vulnerabilities continue to exist but also with a record of improvement over time.