Breaking things is fun. Getting paid to break things is even more fun, that's why many of us are in information security. What about the other 95% of us that work in Corporate environments where we need to defend against attacks, manipulating the never-before discussed "phantom" layers of the OSI model? Layers 8 & 9 of the OSI model, Management & Budget, are rarely discussed but are of primary importance if you're hoping to achieve any sort of success in information security, and specifically driving a software security assurance (SSA) program. This talk will delve into the difficult side of information security - how to make measurable security gains understanding and manipulating corporate politics, then attaining and managing budget. It's possible to make a business case and get things done in the corporate world - you just have to know how.