The practitioner-based information technology (IT) research company for senior technology professionals, Wisegate, has just released a report that details how chief information security officers gain executive buy-in on security budgets and how they manage them. Chief information security officers (CISOs) often have problems with communicating properly what the value of security is in business terms, gaining budget approval, and planning for unexpected expenses. CISOs generally find it comforting to talk to other CISOs to learn how they cope with similar problems. The Austin, Texas-based Wisegate’s new report shows how their own CISOs use their personal management techniques when acquiring a new budget. This is a rare event, because normally these reports are kept for internal use only.

Candy Alexander, who is the former CISO for Long Term Care Partners and ISSA Board member, says that it can be difficult to allocate spending for information security; “While spending money on information security is essential for most companies—be it in the form of technology, awareness, or education—reaching an agreement on how much to spend and where to spend isn’t always easy.” Alexander says that knowing how other CISOs contend with spending can be helpful, noting that this information can “sometimes make the difference between winning security budget buy-in or struggling through another year without adequate funding.”

Sara Gates, the founder and CEO of Wisegate adds that there are many challenges during the budgeting process. Among them, “knowing how their security spending compares against similar organizations, allocating budget based on business needs, communicating the importance of security to upper management and gaining critical leadership buy-in.”

By using benchmark data, risk-based methods, and threat models, CISOs can help determine how much money should be allocated for information security. However, in the corporate world, there is often a gap between what needs to be spent and the actual final budget. When the funds have not been allotted for security programs, creative methods for spending can still keep the CISO looking strong.