Doing security well can be a thankless job. But following these four tips will get you the recognition - and the budget - you deserve for keeping the corporate network safe. Get a dialogue going Make security a service Do the math Show return on investment The payoff More Personal Power articles Power line timeline The bracket game It\u2019s a well-known fact: Network\u00a0security is a thankless job where success breeds anonymity. The more successful you are, the fewer incidents you have to report and the fewer opportunities you have to interact with upper management and gain respect from the business side of the house.Plus, perfect performance is the expectation, says Mike Phillips, CIO and vice president of IT at Texas Tech University Health Sciences Center in Lubbock. "Security has risen to virtually an entitlement with folks, and they don\u2019t necessarily appreciate or concern themselves with what goes on behind the walls to make it happen," he says. "It\u2019s not an area where success leads to respect."However, success quickly can lead to failure. Lack of awareness means difficulties funding critical security projects and, eventually, problems keeping the company secure. It\u2019s a vicious cycle, but one you can break by taking a few simple steps to keep yourself and your organization\u2019s security needs uppermost in top management\u2019s minds.1. Get a dialogue going."It follows that if upper management hasn\u2019t heard from you and has no idea what you do, it\u2019ll tend to resist giving you more money to do it," says Steve Crutchley, founder of 4Front Security, a consulting firm.Users agree. "You need to develop a collaborative relationship with the business side," Phillips says. "Tell what you\u2019re doing, and more importantly, ask how you can help them help the business."Brian McEvoy, systems organization manager for PLM Solutions, an EDS line of business in Cypress, Calif., has put procedures in place to do just that. "I meet with key users in sales and development if we\u2019re contemplating a security change," he says. "I tell them what I\u2019m planning and ask their advice. They communicate with their downstream people, get the feedback, and we discuss it and make it happen."This process worked well when the\u00a0Bugbear \u00a0virus appeared in the fall, McEvoy says.To combat Bugbear, McEvoy wanted to push out Microsoft Internet Explorer 6 to everyone. But upon contacting his advisers on the business side, one came back immediately and said Internet Explorer 6 presented a problem because the company was using a product that had not been certified for that version of the browser. "They asked us to hang on until they got it certified. Those guys scrambled, got it certified within two days, and then we did [the upgrade]," he says. "They appreciated the heads-up, I appreciated the feedback, and we avoided some problems."2. Make security a service.Crutchley says management tends to view security as "a grudge spend," something it has to pay for without really understanding why. Security professionals sometimes underscore this perception by issuing edicts and policies without fully explaining the need or the business impact. "Some security guys just sit in their ivory towers and dictate policy and direction for the organization," Phillips agrees. "That doesn\u2019t work. Organizations are built on trust and credibility, and security is no different."Business has to view security as a service, just like human resources or accounting, McEvoy says. "We\u2019ve worked hard over the years to project that image. Rather than coming in as Big Brother, we come in and explain, \u2018You\u2019re going to get hurt if your machine is infected, and you\u2019re going to be embarrassed. So here are some tools we can give you to protect yourself.\u2019 Once they see you as a partner, it works out," he says.3. Do the math.Security professionals need to set needs and expectations in terms that business users understand, McEvoy adds. This means analyzing risk and return, not just in technical terms, but in dollars and cents."We sit down together with the bean counters and assess risk," he says. "Say it\u2019s going to cost us $200,000 to get this security product in place. We weigh that cost against the risk and make the decision based on both financial and technical risk. It\u2019s simple math. Here are the risks, here is the probability, multiply one by the other and you come up with a number. There\u2019s no arguing with that."4. Show return on investment.Management also has to be able to see what it\u2019s paying for, McEvoy says. A good way is with executive-level reports, many of which security tools generate."We send weekly reports to upper management to let them know that over the past week, we\u2019ve blocked so many viruses or stopped so many intrusions," he says. "It makes security more concrete and shows them exactly where all that money has gone."It also shows that all has not been quiet on the security front just because no disasters have occurred. "On the contrary, it underscores the fact that we haven\u2019t had to waste money or lose productivity," McEvoy adds.The payoffBecause he\u2019s followed these steps, McEvoy says he seldom faces resistance to security spending and gets respect from his business peers and top managers."I\u2019m putting in a request now for maintenance payments on one of our security products," he says. "I anticipate gasps and gulps, but I don\u2019t anticipate not getting it pushed through because we have a track record to show what it\u2019s doing. They know their money isn\u2019t just going into a black hole."