Building A Business Case For Cybersecurity Investment
In 2021, working in SecOps or IT security makes investing in cybersecurity a no-brainer. However, it is not always easy to get this thinking and the necessary budget approved by stakeholders.
While business leaders see the importance of data security and the overarching risks, building a clear business case for cybersecurity investment that speaks in their language and aligns with the company’s values and targets is the key to getting their attention and sign off.
In this article, we break down what is needed in a business case, including the scope, financials and steps needed before compiling the case.
The business case – non-negotiable points
Within a business case for cybersecurity investment, some non-negotiable main points need to be included. These are:
- The Current Situation
- The Scope
- The Project Overview
- The Financial Overview
- Immediate Next Steps
Each element is critical in setting the scene and serving as a reminder of the ROI that will inevitably come from investing in cybersecurity.
Context is key – current cybersecurity and hacking landscape
As with most things, context is key, which is why running a full cybersecurity audit is the first step. In this, you can highlight the areas of existing vulnerability and risk and show how exposure can easily lead to an attack. It’s useful to bear in mind here that cybersecurity is not only protecting from the outside but ensuring that the systems have no potential leaks stemming from the inside, such as lax access measures to sensitive data.
Next up, include educational pieces as to why cybersecurity needs a business case in the first place, and the consequences to the business, if the investment isn’t made.
Understanding why hackers hack is key to this. Data is king today, and since the pandemic further expedited global online activity, hacking is now an even bigger business. A hacker’s intent is often based on the type of data you hold and can include:
- Denial of Service (DoS)
With all the above in mind, consider the consequences of a cyber-attack on your business. This may include:
- Loss of intellectual property and other sensitive data
- Product quality and customer service issues
- Interruption/loss of production capacity
- Economic loss
- Societal impact
- Loss of public confidence from investors, customers, and employees
- Impact on national security
- Violation of compliance standards and regulatory requirements
For example, how would a $100 000 fine for a compliance breach, a diversion of resources from product development into the reactive fix, and customer sales to customer reassurance and compensation affect the projected bottom line?
Some of the world’s biggest brands – with some of the world’s biggest budgets – have been hit. The risk is very real, meaning it is not a case of if your business will get hacked, but when.
Looking at your business and the teams within it, it is useful and reassuring to identify where help towards greater cybersecurity is already available. If there is a capability within the existing IT department, acknowledge your current strengths, and explain what other resources or tools are needed and why.
Setting realistic expectations on the limitations and successes using examples and context in your current setup is critical. Straying too far away from your business makes technical terms and cybersecurity risks feel unrealistic and irrelevant with grand promises that are impossible to keep. So keeping expectations achievable and relatable to your audience is key.
What does cybersecurity investment look like?
As the needs have been laid out, be equally clear about what cybersecurity investment looks like. We use IT, computers, and the internet every day, meaning the investment gains aren’t limited but rather continuous. The Project Scope reiterates how investment enables prevention and effective responses to inevitable attacks.
Categorize benefits into:
- Tangible benefits, e.g., having a defined cyber strategy and a business continuity plan which has clear outcomes.
- Intangible benefits, e.g., de-risking the IT strategy by blending in-house resources with external expertise.
The project overview summarizes the goals, objectives, outcomes, and key milestones and shows how project performance will be measured. Clarity and staying concise are paramount here.
A few must-haves to include:
- A schedule showing assigned roles and responsibilities, contingency, and governance.
- How the project will be managed on a weekly basis.
- The tools and plans used to ensure efficient work and clear communication.
- How stakeholders will be informed of progress.
As with any project, interruptions can happen. Outline these along with their impact on timelines to show forethought around readjustments that still allow for the same results. Some factors to consider:
- Cost overrun
- Conflicting projects
- Shifting priorities
- Economic downturn
Providing a table, like the one below, displaying options and the cost-benefit analysis is a great, straightforward visual to put the project into a real money-benefit context.
|Build in-house Investment||Hybrid approach Investment||Outsource Investment|
|In-house Managed SOC – 24/7, 365 days per year||Weekend and out of hours cover||Fully Outsourced
Managed SOC – 365 days per year
|Operating expense||2x Shift Leaders||1x Shift Leaders||N/A|
|Operating expense||2x Senior Consultants||2x Senior Consultants||N/A|
|Operating expense||2x Junior Consultants||1x Junior Consultants||N/A|
|SIEM Platform||$20 500 per annum||$20 500 per annum||No cost|
|Equipment||6x Laptops||4x Laptops||No cost|
|Training||6x Training||4x Training||No cost|
|Onboarding Staff||6x Onboarding||4x Onboarding||No cost|
|Total Cost||5x Cost||3x Cost||1x Cost|
|* The table is based on the average industry cost of $68 000 for a cloud-based Security Operations Centre in an organisation with 200 employees.|
Additionally, while giving a cost figure from the project plan, include the following to justify it:
- How the benefits will be realized
- ROI for each service implemented
- Measurable aspects: e.g., improved recovery time, reduced time spent on reactive security actions
Show the ROI by comparing the full-time equivalent (FTE) costs versus software systems and services costs. Other indirect costs of FTE activities should also be included, such as:
- Activities related to compliance and regulatory requirements
- Partnership management with third-party security vendors
- Reduction in cyber insurance costs
Typical savings are usually in their $100 000’s for organizations of all sizes but show what your business will save.
Lastly, as cybersecurity is an ongoing project, future maintenance costs should not be shied away from. Present these in side-by-side tables of existing and future costs – again, savings here are typically in their $100,000s.
Final words and quick wins
You’ve made clear the need to improve your cybersecurity posture and shown gaps that are putting the company at risk. You’ve demonstrated what a cybersecurity investment would look like, including the benefits, weekly schedule and financial options.
To end, put forward the recommended option re-emphasizing how this best aligns with the business’ strategy and contributes to greater revenue generation (more product development) and customer service and confidence (from investors, customers, and employees). Alongside this, determine the next steps to make the decision process as simple as possible. This could look like this:
- Confirm approach
- Confirm budget approval process and timeline
- Final sign off and official start
Finally, include the quick wins that can be implemented while decisions are being made. Things such as leading cybersecurity awareness workshops and implementing multi-factor authentication and automated backup-and-restore functionality work towards greater cybersecurity efforts.
So, stay clear, concise and keep returning to the benefits – because, as you know, there are many!
Disclaimer Insights and press releases are provided for historical purposes only. The information contained in each is accurate only as of the date material was originally published.