We can all agree that in even the least ‘digital’ businesses, websites, the internet and computers have become a business necessity and these days form part of the operational infrastructure of most organisations.
Unfortunately, these new ways of working for the masses drive evolution in criminal attacks and so organisations in turn need to evolve their defences. As many people in operational roles have found, however, convincing those-that-hold-the-purse-strings to invest in preventative services is often challenging.
So how do you write a compelling cyber security business case for the spend?
Planning your priorities
In order to ask for investment in security tooling and services, you need to know which ones provide you with the best bang for your buck. In order to know that, you need to do a risk assessment and threat modelling.
83% OF UK BUSINESSES THAT SUFFERED A CYBER ATTACK IN 2022 REPORTED THE ATTACK TYPE AS PHISHING.
SOURCE: AAG
Often considered a bureaucratic exercise, a proper information security discovery, assessment and treatment project provides a clear list of the biggest risks to the business, balanced in terms of likelihood vs impact. Why begin by implementing protective measures against a devastating attack that is only likely to occur once every 25 years, when you have a moderate to high risk likely to occur several times per year if not managed?
The risk assessment process provides valuable backing data for writing and evidencing your business case and having a third party do this provides additional weight to the findings in it.
Making your cyber security business case impactful
There are a number of elements that need to be considered when establishing a business case, but first and foremost; you need to consider your audience:
▸ Keep it short
When a board of directors and/or senior management team meet, it’s an expensive meeting and proposals are given short shrift. As such, business cases need to be concise and summarise what is needed to make a decision.
▸ Keep it risky
When evaluating spend, decision-makers will typically focus on things like ROI (return on investment), benefits, profit and finally risk. Given that the clearest justification for investment in preventative measures is preventing something bad from happening, it’s generally best to focus on risk.
However, it’s important to avoid non-fact-based FUD arguments (Fear, Uncertainty and Doubt). Where possible, provide financial estimates of impacts on the business – for example:
- Recovering from a complete ransomware attack could take a minimum of 10 days. During this time the business would be unable to operate effectively, resulting in 10 days of lost revenue. An external incident response service could cost £20,000 and an internal IT project lasting 6 months.
- Compromised email accounts could result in customer payments being sent to a fraudulent email account. It would likely be a month or more before this was noticed. A month of lost revenue from customer invoices is £99,999.
- Compromised email accounts could be used as an attack method against customers and/or suppliers. This could result in their systems being compromised and legal action resulting in penalties in hundreds of thousands and significant reputational damage.