"You are trying to sell the business a broken equation where you have no hope of getting payback." John Meakin, group head of information security at Standard Chartered Bank, told IT directors at Computer Weekly's Infosec user group, "The problem is that security costs money. It reduces risk but it is very difficult to feel the difference."
Unless IT directors are articulate with their arguments, they can get caught in a vicious spiral, where projects lose funding after three years, because the board fails to see the payback.
He urged IT directors to begin collecting surveys, press cuttings and data from their own systems to back up their arguments.
But David Lacey, director of security and risk management at Royal Mail, said it was more important for IT directors to learn how to be succinct and articulate. Executives need to be convinced in the first eight seconds of an argument, he said.
"Boards would rather put their trust in an expert who looks them in the eye and presents a case than put their faith in a whole bunch of statistics. But you have to be fast, you have to be articulate and compelling," he said.
Lacey recommended using certification as a tool to encourage businesses to follow security projects through to completion.