"After you've invested in new security technology, you need to come back six months later and show what you've achieved and how it squares up with what you intended to achieve," Scholtz says.

You also need metrics to show that it's good when nothing happens, McGraw says. For instance, following a worm outbreak, use network-activity reporting to show that you had the proper protective measures in place. Otherwise, you can fall into the chicken-and-egg trap, where people begin wondering why you have to keep investing in security when nothing bad ever happens.

McGraw also cautions against getting too granular in your reporting efforts. "They don't want to see your firewall logs or the number of virus scans or something geeky that you have to explain in three paragraphs," he says. "What they want to know is they invested $10 million in this product line and it's not going to be hacked on the first day."

Unfortunately, the most reliable way to ensure security funding is through regulation, "and that's a shame," Rhodes-Ousley laments. "Businesses simply won't do the right thing, such as protecting customer identities and private information, if they're not required to." The best thing to do in those instances, Scholtz says, is to partner with the internal compliance organization. "Complying with regulations has very direct consequences for information security and IT," he says. "But it's really the business that needs to make the risk-based decision on what they're going to do."

Brandel is a Computerworld contributing writer. Contact her at marybrandel@verizon.net.