We have looked at Cybersecurity business cases in the past, relating the cost of a proposed solution to the potential cost of a breach. That framework hasn’t gone away - but, there are some other pieces to consider when crafting a cybersecurity business case to truly sway CIOs and board members alike.

Today, we examine what makes up a sound business case for cybersecurity. I pay special attention to how IT stakeholders at SMBs can position such projects to senior leadership, and the particular sections that make up a truly board-worthy case. 

Start With the Basics

While there are some cyber-specific nuances I'll get to later, bringing the project, budget, and timeline to the forefront is critical for equipping decision makers with the right information. With this framework in mind, many of the details will actually be dictated by the problem you’re attempting to solve. A good place to start is by looking internally at any metrics you have been capturing cybersecurity KPIs (see our blogpost on the best/worst, as well as our Elite SMB Incident Response Guide for guidance on when and how to track potential incidents).

Quantify the Problem

Understanding the costs that organizations face from cybersecurity breaches (and compliance fines sometimes associated with them) is important for demonstrating costs saved. With that said, in examining the psychology of generalizing such figures to your company, it can be really easy to poke holes in the story - differences in data types stored or stolen; different defences in place; differences in how 'target worthy' your company seems… It becomes both convenient and easy for leaders to say “this doesn’t apply to our business”. Ensure you are using figures that are applicable to your business.

More than “Just” Breaches

CIOs must be able to articulate their argument by explaining how the solution will overcome the problem in order to generate greater results. In this example, we see that rather than describing high-profile breaches, offering common potential incidents that are more relatable to your audience (and more likely to actually occur in a small to midsize business) can be effective.  Such incidents are where you can describe how expensive this problem can be for your business. I provide some heuristics below for such costs, and also consider fines, insurance premiums, and other quantifiable values for comparison. 

Use this table to determine:

  • Is this going to stop my business from functioning
  • Will this cost prevent us delivering our product/outcome

Ransomware is a good example, because it's a common occurrence, it's digestible for senior leaders who may not have a specialized understanding of cybersecurity, and it likely applies to your business given the risk of it occuring.

Evaluating Against Best Practices

It’s important to consider your expenses by function in the IT organization, relative to your peers. See the chart below for guidance on Cybersecurity Budget Allocations. Your cybersecurity spend should represent about 5.6% of your overall IT budget (according to Gartner’s Identifying the Real Information Security Budget). Note that you can expect to spend a higher proportion on personnel as an SMB once you have made that initial cybersecurity hire, but before you have equipped them, trained them, etc. These will differ by the size and industry of your organization, but can serve as a good benchmark for your case to invest in a specific area.

Proportion
of Budget

Expense
Type

Examples

26%

Personnel

  • InfoSec Officers
  • Engineering

25%

Software

  • Anti-Virus
  • Multi-factor Authentication (MFA)

22%

Hardware

  • Firewalls
  • Intrusion Prevention System (IPS)

12%

Outsourcing

  • Managed Systems
  • Audits

9%

Consulting

  • Compliance
  • Engineering

6%

Occupancy

  • Data Center
  • Office Space


Something to note is with that personnel cost typically being higher for SMBs (not to mention the ongoing cybersecurity talent shortage), it does tend to bias your case towards outsourcing to a security partner (like an MDR, or MSSP). That’s a nice segue into three scenarios you will want to consider in your business case.

Build, Buy, or Not

Depending the case you’re making, you may want to consider these three broad options. Of course, we won’t advocate for doing nothing - but positioning your solutions relative to the cost of a breach can help further your case, especially if your stakeholders don’t understand the cybersecurity risks they’re facing. The particular breach scenario we have described here is based on the average values described above.

What you should end up with

You’re building an environment that is designed to reduce the likelihood of material damage. There are different stages for the attack, and corresponding opportunities to detect and respond to it - see the chart below. The more time that passes from infection, the greater the chance that material damage will occur. Be conscious of where you’re putting your energy/resources. Look through the data that’s coming in from your technology (or, your provider) to determine your next steps. This data can also help you quantify the problem for the business case required when presenting leaders with a decision. Generally, as long as you can keep incidents below the threshold for material damage, you will be seeing value from your security program. 


Pro tip: Your customers and partners will be expecting your business to be able to demonstrate a security posture that meets their requirements. Such requirements may be dictated by privacy or cybersecurity regulations, which we have discussed at length in previous posts. See our blogs tagged with compliance, or here for CMMC and CCPA specifically.

For more on this topic, check out our webinar recording featured on our BrightTalk Channel here, or embedded on the page below. You can also check out our Elite SMB Incident Response Guide, that will help you evaluate your existing IR capabilities. It includes tear-away templates that can help. Or, feel free to contact us - if you are ready to move to MDR, we will help you build a cybersecurity business case for your CIO, board, or other decision makers in your organization.

Augment your Incident Response Capabilities 

Top Secret Folder with the Elite SMB Incident Response Guide

Subscribe To Our Blog

New call-to-action

Let us know what you thought about this post.

Please comment below.