Using an event such as a data breach or a broad trend to bolster a security pitch can be effective in getting the attention of those holding the corporate purse strings, he said. "Use examples, use events in the media, pick the top [security] issue in the paper, which these senior executives read, and show them how it is being addressed," Schramm said.

One of the limitations of such a tack is that using external events, while powerful, can be anecdotal, Blake said. "Going to the board and CEO and saying that we are spending x percent but we should spend y percent is very challenging" if the discussion is based purely on what others are doing, he said.

Showing business executives how a security investment can allow a company to demonstrate due diligence is important, too, said Tom Bowers, manager of information security operations at a Fortune 100 drug company that he asked not to be named.

Bowers' company, for instance, outsources a large portion of its IT operations to outside service providers. Its ability to seek legal protection under intellectual property laws would be considerably weakened if it didn't implement what are seen as reasonable controls, such as encryption, content monitoring and digital rights management, he said.

Highlighting such issues can help reinforce the business value of security investments, Bowers said.