Writing a Successful Cyber Security Business Case

We can all agree that in even the least ‘digital’ businesses, websites, the internet and computers have become a business necessity and these days form part of the operational infrastructure of most organisations.

Unfortunately, these new ways of working for the masses drive evolution in criminal attacks and so organisations in turn need to evolve their defences. As many people in operational roles have found, however, convincing those-that-hold-the-purse-strings to invest in preventative services is often challenging.

So how do you write a compelling cyber security business case for the spend?

Planning your priorities

In order to ask for investment in security tooling and services, you need to know which ones provide you with the best bang for your buck. In order to know that, you need to do a risk assessment and threat modelling.

The risk assessment process provides valuable backing data for writing and evidencing your business case and having a third party do this provides additional weight to the findings in it.

Making your cyber security business case impactful

There are a number of elements that need to be considered when establishing a business case, but first and foremost; you need to consider your audience:

▸ Keep it short

When a board of directors and/or senior management team meet, it’s an expensive meeting and proposals are given short shrift. As such, business cases need to be concise and summarise what is needed to make a decision.

▸ Keep it risky

When evaluating spend, decision-makers will typically focus on things like ROI (return on investment), benefits, profit and finally risk. Given that the clearest justification for investment in preventative measures is preventing something bad from happening, it’s generally best to focus on risk.

However, it’s important to avoid non-fact-based FUD arguments (Fear, Uncertainty and Doubt). Where possible, provide financial estimates of impacts on the business – for example:

• Recovering from a complete ransomware attack could take a minimum of 10 days. During this time the business would be unable to operate effectively, resulting in 10 days of lost revenue. An external incident response service could cost £20,000 and an internal IT project lasting 6 months.
• Compromised email accounts could result in customer payments being sent to a fraudulent email account. It would likely be a month or more before this was noticed. A month of lost revenue from customer invoices is £99,999.
• Compromised email accounts could be used as an attack method against customers and/or suppliers. This could result in their systems being compromised and legal action resulting in penalties in hundreds of thousands and significant reputational damage.

▸ Keep it real

It can be easy to talk about attack tools and all possible types of attack – again falling into the trap of focussing on fear. Instead, focus on the attack types most likely to target your company.

Sometimes senior leaders struggle to map sensationalised news articles about cyber attacks to their own organisations and operations, so try and give examples of how such attacks could practically play out.

For all organisations, attacks such as phishing are commonplace across all sectors, however, it’s worth gathering examples and if possible, statistics of attacks that have affected similar organisations.

Return on investment

When considering spend, the senior management team are used to considering a return on investment. This can be more challenging to demonstrate for security products, as you are typically spending to ensure the absence of something (attacks).

Provide simple examples of how the solutions you are suggesting would help prevent the attack examples you gave when describing the risks.

This provides the exec with a one-to-one mapping of expense-vs-risk and makes the decision easier. However, it’s important to make it clear that the examples you give are just a small sample and the solutions will likely provide protection against a much wider array of threats.

▸ Consider compliance

Additionally, it’s worth pointing out that many prospects – particularly in tenders – actually filter-out suppliers that can’t demonstrate compliance with certain security standards.

Finally, compliance with some standards can demonstrably reduce risk to the business.

Summary

In summary, when considering whether to spend money on something – just like any of us – key decision makers want to see that research has been done, there is a real justifiable need and it is worth the spend in terms of value.

The senior team is busy and has to balance this spend against other areas of investment, so keep reports concise and clear, backed with evidence and data they can request should it be needed.