For example, medical fraud has an impact on the company's brand and reputation, so Calatayud started out by getting the marketing department to understand the net benefit of that particular project.
"The board becomes very receptive to that because they see the business content, because the marketing team is on board," he said. "Here's the net benefit to the company. That's how I've approached bringing things that are more company strategic."
It can be hard to justify technology costs by focusing purely on the security benefits, he said.
"Fear mongering, although helpful at one time to garner support, today leads to only short-term support and ultimately undermines CISO credibility," said Adam Vincent, CEO at security firm ThreatConnect. "Instead, the CISO should focus on clearly communicating strategic risks to the business and what is being done to mitigate the risk."
For example, CISOs might be able to get more money for their security projects by attributing the costs to the business unit or organization that will benefit from them, instead of asking for funding in one lump sum, said David Shearer, executive director at International Information Systems Security Certification Consortium.
"CISOs need to bridge the gap between the technical aspects of the information security program and the business value board members are looking for from investments," he said.
For example, when Jason Thomas, CIO at Ruston, La.,-based Green Clinic, was pitching consolidated user accounts to his board of directors, he didn't pitch it as a costly new security project.
Instead, he pitched as a way for doctors to be able to log in to all their systems with just one user name and password, so that they could stop worrying about security, and focus more on their patients.
"That's a business simplifier," he said.
His board, mostly composed of medical professionals, is worried about security, he added.
"But it's a difficult situation because you're trying to educate them without giving them fatigue," he said. "You have to have a light touch with security, and not freak them out."
Whenever a project can be pitched as a business benefit or competitive advantage, that helps, he added.
New success metrics needed
Eric Cole, Fellow at SANS Institute, said that he's regularly seeing CISO becoming equal to the CIO and reporting to a risk executive, or directly to the board.
"It's security that keeps executives up at night, not IT infrastructure," he said.
Many boards don't know what to look for in a CISO, and how to tell whether a CISO has been doing a good job or not, he said.
"The problem is the metric the board is using today, is if you don't have a breach, then security is doing its job," he said. "And that's a very dangerous metric because we know that everybody will have a breach."
Sign up for Computerworld eNewsletters.