With the headlines abounding about cyber incidents and their impacts, the case for cybersecurity investment is achieving more air time. Cybersecurity Ventures predicts cybercrime will cost the world $10.5 trillion annually by 2025 (in country terms effectively marking cybercrime as one of the world’s largest economies). However, making the business case for cybersecurity investment, and investing in the right way remains a significant challenge.
To overcome this challenge, you must speak the language of the board, focus on solving business problems and draw from the vulnerabilities of your business to make the case real to the organisation. All while ensuring the investment is optimised and delivers effective return to the business. This in turn, ensuring cybersecurity is a priority of the board and beyond an annual checkmark.
Getting to and Speaking the Language of the Board
Cybersecurity discussions often involve complex technical language that can alienate non-technical stakeholders. This issue is compounded by the limited cybersecurity expertise on boards (Diligent and NightDragon State of Board of Directors Cyber Awareness Report, states only 12% of S&P 500 companies have security expertise on their boards). Furthermore, other studies suggest that few boards see eye to eye with their CISO and most believe that their organisation is at risk of a material cyber incident.
Paradoxically, this disengagement and lack of awareness might have triggered excessive spending. With Gartner previously suggesting “many security teams have over invested in a plethora of tools”. This overspending on ineffective software exacerbates the perception that cybersecurity investments don’t yield business results, limiting funds for truly effective investments.
So, to make a persuasive business case, the Science part of the business case (see https://templeavenuegroup.com/the-art-and-science-of-a-business-case-a-harmonious-union-for-success/) must be translated into Business metrics and the Art of the business case needs considerable attention to ensure a compelling case for change is forged.
So where to start?
Go back to business case basics. For any organisation business cases are about delivering benefits – so that’s beyond the output, beyond the outcome and ensuring tangible return for the investment. A cybersecurity example could be:
Output: The implementation of an Advanced Threat Detection System
Outcome: Reduced time to detect and mitigate cyber threats
Benefit: Enhanced data protection and cost savings. Then quantify those benefits e.g.
- An estimated reduction of £x associated with data theft, legal repercussions and damage to the organisation’s reputation.
- Cost avoidance of £x as ability to maintain compliance with data protection regulations, avoiding fines and legal penalties.
- Increased revenue of £y through enhanced reputation.
Now your examples may look rather different to these but the point is to review the benefits from a business perspective.
To tailor to your organisation consider the likelihood of an incident and the impact on your operations if an incident occurred. Would the reputational damage prohibit your organisations ability to trade? What would the revenue impact be of the systems being offline for 4 weeks?
The key here is to ground this information in data relatable to the organisation and the level of risk they are willing to accept rather than blanket statements.
Consider the following
In the above example we begun to draw out some of the ways to position your business case. Below we consider these in turn.
1. Risk Mitigation, Financial Compliance and Brand Resilience
Risk Management: Boards understand the need for insurance to mitigate business risk, cybersecurity is a vital insurance policy for your digital assets and as a consequence your broader organisation. However, ensure the ‘insurance’ is relatable to the level of risk.
Financial Implications: Clearly articulate the potential financial implications of a cyber incident. Discuss the cost of downtime, regulatory fines, and the impact on reputation. Use real-world examples to underscore the damage that can be done.
Compliance and Legal Obligations: Highlight the legal and regulatory obligations, making it clear that non-compliance can result in significant penalties and legal consequences. Is your business aware of all regulatory obligations in all jurisdictions that it supports?
Impact on the Brand: Emphasise the direct correlation between a cybersecurity breach and a tarnished brand reputation. Boards understand that brand equity is priceless. Again, the key here is to position in relative terms for your organisation.
2. Focus on Business Problems
To gain the board’s attention and support, focus on how cybersecurity investment directly addresses critical business issues:
Protecting Intellectual Property: Intellectual property is often a company’s most valuable asset. Explain how cybersecurity safeguards proprietary information from theft or espionage.
Ensuring Business Continuity and customer trust: Cyberattacks can disrupt operations, leading to financial losses, lost bids, reputational damage and long-term growth. This impact on operations is often underplayed. Present cybersecurity measures as a means to ensure continuous service delivery.
Regulatory Compliance: Highlight the cybersecurity standards and regulations relevant to your industry and jurisdictions in which you serve – not necessarily operate within. In addition, what are the potential obligations on board members? This will elevate compliance from a tick box exercise and to a fundamental aspect of risk management.
3. Leveraging Organisational Vulnerabilities
To make the business case tangible, draw from the organisation’s vulnerabilities:
Threat Assessment: Conduct a threat assessment specific to your industry and organisation. Show the board the evolving nature of threats and the likelihood of an attack.
Cybersecurity Gaps: Identify existing gaps in your organisation’s cybersecurity posture. Clearly outline how these vulnerabilities can be exploited and agree the acceptable level of risk for your organisation.
Scenario-Based Approach: Paint scenarios that depict the potential impact of a successful cyberattack. Use these scenarios to illustrate the real-world consequences.
Benchmarking: Compare your organisation’s cybersecurity posture with industry benchmarks. Highlight areas where you fall short and the implications of not closing those gaps.
4. Maintaining Good Business Order
Cyber Incident Management Response Plan: Prepare your organisation for a considered and coordinated approach with a competent response and communications plan. Test this plan with members of the board to mimic a real-life scenario. Tie this plan into broader planning for Disaster Recovery and Business Continuity.
Guiding Principles of Business Cases: Adhere to good business case practice. Don’t over-index on a solution (more prevalent for cybersecurity as few would understand the solutions) ensure you outline what the solution is there to fix and clearly articulate the benefits. State the problem or opportunity clearly and build a persuasive case for change.
Effective Procurement: Lastly, following good business case practices also extends to procurement. Ensure you select the right tools that align with your organisation’s specific needs and security requirements. This not only enhances your cybersecurity posture but also demonstrates to the board that these investments drive value.
For more guidance on developing your business case, cybersecurity investments, or your incident management response plan, reach out to us at consult@templeavenuegroup.com