And yet, as Xerox Chief Security Officer Audrey Pantas says, "you never get as much you'd like -- you could always do more." And that sums up the mind-set surrounding IT security at corporations today: No matter how much money you pour into it, you'll always need to go back to the well.

With growing threats, increased regulations and plenty of media coverage when incidents do occur, executives have never been more aware of the importance of IT security. At the same time, spending fatigue may be creeping into the boardroom, as CXOs increasingly look for the business value earned on the security dollars spent.

"Senior management knows there's a problem, but it seems that every day the problem gets worse, and it's like there's no end in sight," says Robert Charette, director of the enterprise risk management and governance practice at Cutter Consortium, an IT consultancy in Arlington, Mass. "There's the feeling that they could give security every single penny and it still wouldn't be enough."

To keep the security budget from looking like a black hole, you need to articulate the value of the money being spent. Here are some do's and don'ts for doing just that.

Don't Use Scare Tactics