Before you became an executive, the humidity and high temperatures of August meant vacation time. Now it means that the annual budget process is going to begin soon.\u00a0 Even hackers don\u2019t take vacation time these days!\u00a0 Maybe you don\u2019t need your numbers yet, but information security and risk management teams are doing their reconnaissance to determine what their technology solutions may cost and whether they have a chance to get them through the corporate budgeting process.\u00a0No doubt with your appointment as an executive, you\u2019ve developed the requisite skills to navigate this annual corporate game. But as you\u2019ve come to realize through the years, budgeting rules and expectations continually change forcing you and your team to deliver more and with less resources. Each company\u2019s culture and budgeting practices are different so you will need to adapt to your unique situation.I\u2019ve identified a couple of things that \u201cwe bean counters\u201d either look for or talk about behind your back. Hopefully, this will help better justify your budget and help you get what you \u201cdesire\u201d for the coming year.Are you using what you bought last year?You thought bygones were bygones and we forgot what you bought last year. You convinced accounting that the new security tool hitting the market last year was a must have. You told them how the world would be a better place and how when implemented, the new tool would significantly strengthen the organization\u2019s security posture and facilitate the company\u2019s entry into new distribution channels.\u00a0So how\u2019s the implementation going? We both know that so many things have come up since you purchased the tool and you just haven\u2019t had the time, priority, bandwidth, etc., to implement the tool. Plus, as with every new tool, maybe you assumed that the tool would do more than what it actually does.From an accounting perspective this is called a failure. Because traditional budgeting techniques focusing on objective criteria like ROI may not always be practical for security purposes, decision makers rely more on your representations and reputation within the organization. Not delivering on promises made last year or appearing to have \u201cwasted\u201d prior year\u2019s investments is a deal-killer for future budgeting requests.What are our peers doing to solve the problem for which you want the budget for?Why do we need it if our competitors don\u2019t? While preparing budgets we financial types love to compare or \u201cbenchmark\u201d our company\u2019s performance against others.\u00a0 And by others I mean realistically understanding what business we are in, what type of business do we want to be, and what it will take to get there.Where most benchmarking falls short is that we do not compare our risk appetites and tolerances to our competitors. Most organizations, and therefore their risk and information management functions do not necessarily need to be \u201cbleeding edge\u201d but rather must position themselves to provide an appropriate level of diligence and compliance reflective of the industry in which they operate. Obtaining \u201ccomps\u201d or examples of competitors more effectively addressing risks or identifying lessons learned from competitor breaches can provide powerful support to your budgeting requests.What are the alternatives to getting this done?Business people know that there is usually more than one way to accomplish an objective. In presenting budgeting requests, as is frequently done with professional sales practices, it is helpful to present a small number of alternatives, each with different costs, savings, paybacks and risk mitigation values, allowing the decision makers to choose the option that best addresses their need (compared to not funding anything at all). Alternatively, the effort required in considering among alternatives and selecting an optimal option, can enhance the information security and risk management executive\u2019s ability to enhance the effectiveness and strength of their budgeting argument and provide a more compelling case for budget approval.\u00a0Have we explored partnering with an outside vendor who can manage this?Most information security functions are well aware of the strategic use of outsourcing (and I\u2019ll include the entire cloud and use of subcontractors ecosystem here as well).\u00a0 There are many reasons why a company may choose an outsourced solution. From a financial perspective, the budgeting process is more concerned with how the transaction will be accounted for (e.g., many financial professionals will champion an outsourcing solution as it facilitates the matching of expenses in the period in which revenue occurs). Add to that the opportunity to limit head count and to place reliance on the \u201csupposedly expertise\u201d of a \u201cthird party expert\u201d you can better understand why you need to be prepared to address this question with financial professionals.\u00a0[ ALSO ON CSO: Do these 3 things to get the security budget you want ]Can you effectively communicate the \u201chave to\u201d of the problem that you are trying to solve?No matter how good your budget proposal is or how important it may be to safeguard your organization, to get your budget approved you will need to communicate your case effectively. You will need to translate your great technology solution into something that business people can understand. By focusing on the organization\u2019s needs and communicating why your solution is necessary for the business, you should be in a better position to get that budget approved.\u00a0Financial types will approve needed budgets requests, but it is your job to ensure they understand what they are buying or investing in.