Strengthening Your Business: Making the Business Case for Cybersecurity Investment

With the headlines abounding about cyber incidents and their impacts, the case for cybersecurity investment is achieving more air time. Cybersecurity Ventures predicts cybercrime will cost the world $10.5 trillion annually by 2025 (in country terms effectively marking cybercrime as one of the world’s largest economies). However, making the business case for cybersecurity investment, and investing in the right way remains a significant challenge.

To overcome this challenge, you must speak the language of the board, focus on solving business problems and draw from the vulnerabilities of your business to make the case real to the organisation. All while ensuring the investment is optimised and delivers effective return to the business. This in turn, ensuring cybersecurity is a priority of the board and beyond an annual checkmark.

Getting to and Speaking the Language of the Board

Cybersecurity discussions often involve complex technical language that can alienate non-technical stakeholders. This issue is compounded by the limited cybersecurity expertise on boards (Diligent and NightDragon State of Board of Directors Cyber Awareness Report, states only 12% of S&P 500 companies have security expertise on their boards). Furthermore, other studies suggest that few boards see eye to eye with their CISO and most believe that their organisation is at risk of a material cyber incident.

Paradoxically, this disengagement and lack of awareness might have triggered excessive spending. With Gartner previously suggesting “many security teams have over invested in a plethora of tools”. This overspending on ineffective software exacerbates the perception that cybersecurity investments don’t yield business results, limiting funds for truly effective investments.

So, to make a persuasive business case, the Science part of the business case (see must be translated into Business metrics and the Art of the business case needs considerable attention to ensure a compelling case for change is forged.  

So where to start?

Go back to business case basics. For any organisation business cases are about delivering benefits – so that’s beyond the output, beyond the outcome and ensuring tangible return for the investment. A cybersecurity example could be:

Output: The implementation of an Advanced Threat Detection System

Outcome: Reduced time to detect and mitigate cyber threats

Benefit: Enhanced data protection and cost savings. Then quantify those benefits e.g.

  1. An estimated reduction of £x associated with data theft, legal repercussions and damage to the organisation’s reputation.
  2. Cost avoidance of £x as ability to maintain compliance with data protection regulations, avoiding fines and legal penalties.
  3. Increased revenue of £y through enhanced reputation.

Now your examples may look rather different to these but the point is to review the benefits from a business perspective.

To tailor to your organisation consider the likelihood of an incident and the impact on your operations if an incident occurred. Would the reputational damage prohibit your organisations ability to trade? What would the revenue impact be of the systems being offline for 4 weeks?  

The key here is to ground this information in data relatable to the organisation and the level of risk they are willing to accept rather than blanket statements.

Consider the following

In the above example we begun to draw out some of the ways to position your business case. Below we consider these in turn.

1. Risk Mitigation, Financial Compliance and Brand Resilience

Risk Management: Boards understand the need for insurance to mitigate business risk, cybersecurity is a vital insurance policy for your digital assets and as a consequence your broader organisation.  However, ensure the ‘insurance’ is relatable to the level of risk.

Financial Implications: Clearly articulate the potential financial implications of a cyber incident. Discuss the cost of downtime, regulatory fines, and the impact on reputation. Use real-world examples to underscore the damage that can be done.

Compliance and Legal Obligations: Highlight the legal and regulatory obligations, making it clear that non-compliance can result in significant penalties and legal consequences. Is your business aware of all regulatory obligations in all jurisdictions that it supports?

Impact on the Brand: Emphasise the direct correlation between a cybersecurity breach and a tarnished brand reputation. Boards understand that brand equity is priceless. Again, the key here is to position in relative terms for your organisation.

2. Focus on Business Problems

To gain the board’s attention and support, focus on how cybersecurity investment directly addresses critical business issues:

Protecting Intellectual Property: Intellectual property is often a company’s most valuable asset. Explain how cybersecurity safeguards proprietary information from theft or espionage.

Ensuring Business Continuity and customer trust: Cyberattacks can disrupt operations, leading to financial losses, lost bids, reputational damage and long-term growth. This impact on operations is often underplayed. Present cybersecurity measures as a means to ensure continuous service delivery.

Regulatory Compliance: Highlight the cybersecurity standards and regulations relevant to your industry and jurisdictions in which you serve – not necessarily operate within. In addition, what are the potential obligations on board members? This will elevate compliance from a tick box exercise and to a fundamental aspect of risk management.

3. Leveraging Organisational Vulnerabilities

To make the business case tangible, draw from the organisation’s vulnerabilities:

Threat Assessment: Conduct a threat assessment specific to your industry and organisation. Show the board the evolving nature of threats and the likelihood of an attack.

Cybersecurity Gaps: Identify existing gaps in your organisation’s cybersecurity posture. Clearly outline how these vulnerabilities can be exploited and agree the acceptable level of risk for your organisation.

Scenario-Based Approach: Paint scenarios that depict the potential impact of a successful cyberattack. Use these scenarios to illustrate the real-world consequences.

Benchmarking: Compare your organisation’s cybersecurity posture with industry benchmarks. Highlight areas where you fall short and the implications of not closing those gaps.

4. Maintaining Good Business Order

Cyber Incident Management Response Plan: Prepare your organisation for a considered and coordinated approach with a competent response and communications plan. Test this plan with members of the board to mimic a real-life scenario. Tie this plan into broader planning for Disaster Recovery and Business Continuity.

Guiding Principles of Business Cases: Adhere to good business case practice. Don’t over-index on a solution (more prevalent for cybersecurity as few would understand the solutions) ensure you outline what the solution is there to fix and clearly articulate the benefits. State the problem or opportunity clearly and build a persuasive case for change.

Effective Procurement: Lastly, following good business case practices also extends to procurement. Ensure you select the right tools that align with your organisation’s specific needs and security requirements. This not only enhances your cybersecurity posture but also demonstrates to the board that these investments drive value.

For more guidance on developing your business case, cybersecurity investments, or your incident management response plan, reach out to us at

The Art and Science of a Business Case: A Harmonious Union for Success

While the ‘Science’ of a business case provides the foundation of data-driven decision-making, the ‘Art’ of a business case breathes life into the numbers, transforming them into a compelling narrative that inspires action.

A harmonious union of both elements ensures that the business case is not only robust and well-grounded but also persuasive and captivating.

Architecting a Transformation Programme: The Fundamental Role of Assessment

Architecting a Transformation programme involves an holistic assessment approach that encompasses capability, mindset, and operating process.

By conducting thorough assessments in these areas, organisations set the stage for a successful Transformation journey.

The Power of Crafting a Compelling Case for Change

In today’s rapidly evolving business landscape, organisations are often faced with the need for Transformational change to stay competitive, respond to market shifts, and achieve sustainable growth.

Whether it’s implementing new technologies, redefining processes, or adapting customer expectations..

Governance: The Cornerstone of Optimal Value Delivery

In the dynamic realm of business, Transformation and project management, “governance” holds immense sway. It steers organisations toward strategic triumph, optimising value delivery for enduring success. Far from stifling, a well-structured governance system can be agile and empowering, a catalyst for efficient value realisation