With a possible recession looming (if it hasn’t already), many businesses have begun to put more scrutiny on spending — even on business-critical costs like cybersecurity. As budgets begin to tighten, security and IT leaders need to anticipate discussions with executive leaders and begin proactively preparing a formal business case for their security initiatives to secure funding for upcoming projects.
Ultimately, your business case needs to “sell security” to the management team. It’s really about building trust. Perhaps the most common mistake when building a business case for security is alarmism. While an increase in breaches and a rise in ransomware attacks may be valid data points to include, sparking fear doesn’t justify the value of cybersecurity. “If we do not make this security upgrade, we will be hacked, suffer significant losses and/or violate compliance requirementsThese are weak arguments – all they do is upset the management team because they feel like they are being cornered without understanding any tangible benefits being proposed.
There are a few key tips CISOs and CIOs should keep in mind as they enter future budget cycles and begin building the business case for their security initiatives.
Teamwork makes dreams come true
Safety is a team sport – the first mistake I see in the business case for safety has to do with HR needs. Participating groups outside of security are often excluded from the planning stage. If you don’t involve all key support personnel early in the process, they may not be able to support the project as it is implemented because they don’t have the opportunity to provide valuable input or allocate the necessary capabilities and resources when needed.
This is especially important for IT teams. In the past, security and networking have primarily played a role in their own domains. But as infrastructure evolves and consolidates, security and networking are more interdependent than ever before. When building a business case, IT and security teams need to work together from the start. It also means bringing in endpoint teams, as many security teams need to install clients on endpoints, which means IT architects need to be involved to help coordinate other teams.
Link security to overall business strategy
When writing any business case, you need to understand your audience – what they are doing right now, any potential problems you can help them solve, and any potential changes to the business that are coming up. Security goals need to keep pace with broader business goals and important changes in security that can improve outcomes.
This may include mergers and acquisitions (M&A) – security should play a key role at every stage. It may include legal issues around customer privacy, expanding into new global regions, or giving strategic partners controlled access to intellectual property. Or it might include sudden changes in the company’s profit and loss (P&L) status. It might even allow for faster onboarding of new organizations, improved risk identification, or better overall integration.
Review your projects and identify the strongest strengths. Remember, the priorities are: (1) generate revenue, (2) save costs, and (3) avoid costs.
To gain insight into what executive management is broadly trying to achieve, security and cyber leaders need to regularly attend executive meetings. This strategic foundation can help you pinpoint the positive impact of security on:
- achieve agility— A seamless user experience that enables businesses to move at the speed of the market and ensures that critical decisions can be made based on the latest data.
- Control costs— Analyze the total cost of ownership (TCO) of security, maintain operational efficiency and optimize your cloud spending.
- manage risk— Protect critical assets, ensure stability and resiliency, and train your employees to be better digital citizens.
Security and cyber leaders should also provide regular status updates to report on current progress, educate their management teams, and set high-level resource expectations for future budget cycles. Make sure you’re not only talking about what you’re doing this year, but also what’s going to happen next year. This feedback loop will help build alliances with management stakeholders – meet them, complete their plans, and communicate how your plans support theirs.
Include the correct data points
Another common mistake is extracting large amounts of data, which may not mean much to the viewer at the end of the day. For example, a plethora of annual expected loss (ALE) calculations can be dizzying, and they are often based on assumptions that are difficult to quantify.
Security and networking leaders need to carefully choose the metrics that matter to the business. One way to do this is to benchmark your program against what your competitors are doing. An annual assessment can help you demonstrate how your program is performing today and highlight areas where it may lack competitors or industry best practices.
You should also try to include “smart metrics” – which means using numbers that link achievements to business interests. “We blocked a million phishing attempts“It might sound impressive, but it’s an empty number because it lacks business context. But if you instead say,”Last month, we responded to 20 incidents within 120 minutes, 5 of which were against business-critical systems,” which better speaks to the value of security to core operations and how quickly you can resolve issues.
show them money
The weakest reasons for security are cost avoidance and compliance. Without being alarmist, making a business case for governance can be particularly tricky.
“We must comply with PCI standards,” or”Our competitor was fined X amount for violating GDPR rules. “While legal and regulatory requirements may be relevant facts, they do not convey positive measurable value to management.
But if one of your key customers is contractually requiring PCI compliance, or if the majority of your sales come from EU partners that enforce GDPR, that’s a different story. Many customers will have security requirements when doing business with your company, so your team can rightly claim responsibility for helping to earn or retain those revenues.
Perhaps the best way to demonstrate the monetary value of mitigating risk is to call it “increasing revenue” — making security a cost center that helps bring cash into the organization. Once I had a budget conversation with the CEO and CFO, I opened by saying that my team generated $800 million in revenue last year. This caught their attention. It works when you shift the conversation from security being just another cost center to a revenue driver.
But it’s also important to consider whether the review loop can be closed after the project is complete. A year after the budget is approved, you need to conduct a post-review to assess whether the organization is seeing the benefits of the proposed investment. If your business case overstates the value of the project, future requests may be viewed with suspicion.
Sell securities in a buyer’s market
Sooner or later, every business will look at eliminating costs when reviewing its spending. For now, security should be low on the list of projects that organizations choose to cut funding for. But when every business unit is desperately trying to justify its budget footprint, you can’t assume that business leaders inherently understand the broader value of security.
An effective security business case needs to be grounded in what is important to your organization. This means you need to understand from the inside what the business is doing and how security is going to be a big driver of those goals. It requires some long-term relationship building to ensure management understands all the positive impacts your project will have on the organization – now and in the future.