Writing a Successful Cyber Security Business Case

Person writing on computer
Person writing on computer

We can all agree that in even the least ‘digital’ businesses, websites, the internet and computers have become a business necessity and these days form part of the operational infrastructure of most organisations.

Unfortunately, these new ways of working for the masses drive evolution in criminal attacks and so organisations in turn need to evolve their defences. As many people in operational roles have found, however, convincing those-that-hold-the-purse-strings to invest in preventative services is often challenging.

So how do you write a compelling cyber security business case for the spend?

Planning your priorities

In order to ask for investment in security tooling and services, you need to know which ones provide you with the best bang for your buck. In order to know that, you need to do a risk assessment and threat modelling.



Often considered a bureaucratic exercise, a proper information security discovery, assessment and treatment project provides a clear list of the biggest risks to the business, balanced in terms of likelihood vs impact. Why begin by implementing protective measures against a devastating attack that is only likely to occur once every 25 years, when you have a moderate to high risk likely to occur several times per year if not managed?

The risk assessment process provides valuable backing data for writing and evidencing your business case and having a third party do this provides additional weight to the findings in it.

Making your cyber security business case impactful

There are a number of elements that need to be considered when establishing a business case, but first and foremost; you need to consider your audience:

Keep it short

When a board of directors and/or senior management team meet, it’s an expensive meeting and proposals are given short shrift. As such, business cases need to be concise and summarise what is needed to make a decision.

Keep it risky

When evaluating spend, decision-makers will typically focus on things like ROI (return on investment), benefits, profit and finally risk. Given that the clearest justification for investment in preventative measures is preventing something bad from happening, it’s generally best to focus on risk.

However, it’s important to avoid non-fact-based FUD arguments (Fear, Uncertainty and Doubt). Where possible, provide financial estimates of impacts on the business – for example:

  • Recovering from a complete ransomware attack could take a minimum of 10 days. During this time the business would be unable to operate effectively, resulting in 10 days of lost revenue. An external incident response service could cost £20,000 and an internal IT project lasting 6 months.
  • Compromised email accounts could result in customer payments being sent to a fraudulent email account. It would likely be a month or more before this was noticed. A month of lost revenue from customer invoices is £99,999.
  • Compromised email accounts could be used as an attack method against customers and/or suppliers. This could result in their systems being compromised and legal action resulting in penalties in hundreds of thousands and significant reputational damage.


Secure your organisation
from cyber security threats

Secure your organisation
from cyber security threats

Keep it real

It can be easy to talk about attack tools and all possible types of attack – again falling into the trap of focussing on fear. Instead, focus on the attack types most likely to target your company.

Sometimes senior leaders struggle to map sensationalised news articles about cyber attacks to their own organisations and operations, so try and give examples of how such attacks could practically play out.

For all organisations, attacks such as phishing are commonplace across all sectors, however, it’s worth gathering examples and if possible, statistics of attacks that have affected similar organisations.

Return on investment

When considering spend, the senior management team are used to considering a return on investment. This can be more challenging to demonstrate for security products, as you are typically spending to ensure the absence of something (attacks).

Provide simple examples of how the solutions you are suggesting would help prevent the attack examples you gave when describing the risks.

This provides the exec with a one-to-one mapping of expense-vs-risk and makes the decision easier. However, it’s important to make it clear that the examples you give are just a small sample and the solutions will likely provide protection against a much wider array of threats.

Consider compliance



Often, the solutions you are proposing will help achieve, or work towards, compliance with a standard such as ISO 27001, NIST or Cyber Essentials. In many cases, achieving these maps back to a contractual requirement from an existing or prospective customer. Include the contract value (even if estimated) that would be gained/lost for these customers should compliance not be achieved.

Additionally, it’s worth pointing out that many prospects – particularly in tenders – actually filter-out suppliers that can’t demonstrate compliance with certain security standards.

Finally, compliance with some standards can demonstrably reduce risk to the business.


In summary, when considering whether to spend money on something – just like any of us – key decision makers want to see that research has been done, there is a real justifiable need and it is worth the spend in terms of value.

The senior team is busy and has to balance this spend against other areas of investment, so keep reports concise and clear, backed with evidence and data they can request should it be needed.

Ready to Reduce Your Attack Surface?

Ready to Reduce Your Attack Surface?

Share this post:

Written by:

Avatar photoBob McKay

See more by Bob McKay