Last week I participated at a Cisco-sponsored round table of infosec executives and managers. Although I’m not one at the moment, I used to head security at Amazon.com. I still travel those circles as a consultant and speaker.

The topic regarded ways to get funding for security initiatives. How’s this for cool: one of the speakers was Tom Nicoletti, current venture capitalist and former CFO, who over the years had seen many a security purchase order cross his desk. From the sound of things he had signed precious few. After I heard him out it was pretty clear why. Nearly made me wish I could turn the clock back to my former purchase ordering days.

Here were some of the collective takeaways:

• First and foremost, have a crisp layman’s response to: What problem are we solving? Stutter and you might leave worse off than you entered.

• Whatever your case may be, make sure it’s understandable with a single slide and under five minutes.

• Be aligned with business drivers and company culture. (Ever succeed at going against the grain of business?)

• Speak in your company’s business dialect. “This product will help keep those freakin’ bad guys out next time” is a far cry from “This product will enable us to meet our availability objectives in the face of another revenue-denting distributed denial of service attack during peak website traffic.”

• Speak to your initiative’s tax benefits, assuming it has an R&D components that qualify.

• Timing is crucial. Except in the most dire circumstances your initiative must be capex-friendly, something that usually oscillates on a schedule, and always correlates to stock price.

• Never pitch the best case results scenario. If you achieve it, great, you’ve over delivered. Pitch two cases: likely and worst. If the worst is no better than what you have today, then by definition you don’t have an initiative.

• Play the policy card when you really, really need to, treating it as a rare trump. “Our policy says we encrypt all company laptops. If we don’t do it now, we’ll need to downgrade the policy.” Don’t have front-and-center policies backing your initiative? Then quit writing purchase orders and start writing policies.