For security professionals, or any management professional for that matter, the key to managing limited resources is to focus on the key risks. Sound governance, risk and compliance practices are an effective way to manage limited information security resources - they may even lead to more resources!
The need for improved risk management focus, among other things, is changing the CISO role. The CISO role is transitioning beyond primarily a technical focus to include skill-sets related to business strategy integration and risk management principles. With these skills, CISO's are being asked to facilitate business solutions balancing the needs of securing information with the business needs for information access and convenience to achieve business objectives. That's not to say that IT and Information Security professionals have not been practicing risk management. Rather, I think the challenge has been translating those technology and security risks into understandable business impacts that can drive the resource discussion and enable the CISO to play a more integrated role with corporate and line of business executives in strategic business decisions. To facilitate resource discussions, CISO's can rely on several fundamental elements.
First, for those organizations practicing ERM (enterprise risk management), use the existing risk framework to develop or refine IT risk assessment processes – are these processes using the same scoring and rating methodologies as the rest of the organization? Same taxonomy? Basically, use the risk language of the organization to convey IT or security risks in terms of business impact without too much "techno-speak." Focus is on identifying critical security gaps, mitigation activities and resource needs to address gaps. This enables all involved to determine which risks to accept, avoid or resolve, etc.
Second, develop a corporate risk profile for enterprise security. This profile would clearly outline for directors, executive management, regulators, etc. what the organization looks like, the playing-field if you will, as it relates to the organization's use of information assets, where located, access methods, etc. along with the key risks, available resources and top security initiatives to support the risk profile. Be sure to include reference to use of third-party technology providers supporting the organization and whether possession of customer data.
Third, enterprise-level security metrics (key performance or risk indicators) are crucial to the resource discussion. There are any number of metrics available for IT and information security. The main focus is to reduce to a handful of enterprise level metrics that give clear indication as to the effectiveness and efficiency of the security program. For example, comparing your information security budget as a percentage of the IT budget with industry benchmarks and/or peer data and further referencing key metrics around vulnerability management can certainly focus attention on the appropriate resources needed to address risks.
Finally, determine the maturity level of your security organization. If not following one of the security frameworks (ISO, COBIT, etc.) and even the most fundamental of "blocking & tackling" activities associated with effective security management are a challenge, then it may not be a good use of time or effort pursuing complex initiatives requiring significant investment or resource capabilities.