How to Create a Solid Business Case for Cyber Security

With 39% of UK businesses reporting a security breach in the 12 months up to March 2021, cyber security isn’t something to ignore. As the world becomes increasingly technologically advanced and susceptible to security threats, CISOs need to protect their business with even more urgency.

However, trying to justify your case and achieve buy-in from the board can be a tricky task. To help you present a strong business case, we’ve identified the key steps to follow and the financial analysis to undertake to ensure you get that all-important budget sign-off.

• Run an Audit and Identify Risks

• Set Expectations

• Identify the Costs of a Cyber Attack

• Calculating Return on Investment (ROI)

• Identify Areas to Invest In

• Presenting Your Business Case

Run an Audit and Identify Risks

Finding out how cyber security impacts your business is a key starting point for building your business case. The first step in doing this is to conduct an audit that identifies what you’re currently doing, any vulnerabilities your company may have and what the result of those risks could potentially be. 

Identify your strong points, weaknesses, who has access, who might be trying to access and take factors such as change of location or remote working into account. All of these points can paint a picture of how likely a security breach is and why you need the security procedures in place to mitigate the risk.

Audits and risk assessments can take up time, with only 34% of UK businesses undertaking cyber security risk assessments — but they’re essential to providing the context behind the decision to invest in cyber security.

Not only does it help formulate a compelling business case to present to the board, but it also shows to your customers, partners and peers that you’ve taken the necessary steps to protect your organisation and their information.

Set Expectations

It can be difficult to get senior team members to invest in cyber security. Unlike a product or service, cyber security isn’t something that’s going to yield a direct ROI. It will, however, save you money in the long run by protecting you against a potentially damaging breach, becoming the basis of any good security investment argument.

There are many costs, both tangible and intangible, that can arise as the result of a security breach — we’ll go into these in more detail below.

Identify the Costs of a Cyber Attack

The financial cost of a cyber attack is perhaps the most obvious, but intangible costs can be just as significant. Damage to your reputation and loss of trust with employees can be detrimental to your company — businesses reported up to a 50% decrease in productivity following a breach.

Conducting a cost-benefit analysis should strengthen your case to the board. In most cases, a security breach is more expensive than the cost of preventing a cyber threat, showing it’s well worth the investment rather than allocating the budget elsewhere.

Calculating Return on Investment (ROI)

Return on investment (ROI) can help you strengthen your case even further. Calculating and presenting your cyber security ROI translates your case into a quick, numerical figure for the board to digest.

However, be wary that the ROI figure will still need justification. Simply presenting ROI can cut out a lot of the context necessary to justify your argument, such as why it’s crucial and the risks it may pose.

To find out more about calculating the ROI of cyber security, we have all the information you need here.

Identify Areas to Invest In

Your audit should have identified any key risks and their size, how imminent they are and how likely it is that they may occur. 

After identifying these areas, focus on any specific zones that need the investment. This will show the board how you are going to allocate the budget and how it will benefit the business as a whole.

Some key areas to consider would be data security, operational security, network security, system security and physical security.

Presenting Your Business Case

You’ve conducted your analysis, identified risks, attributed costs, determined ROI and outlined areas for investment — now it’s time to present your case to the board. Focus on the figures and provide the context to back them up and help the board make their decision.

Nobody is immune to a cyber attack, with big players such as Google and LinkedIn being targeted in the past. With IBM’s Cost of a Data Breach Report 2021 identifying the average cost of a breach at $4.24 million, it comes as no surprise that 77% of businesses say cyber security is a high priority for their directors and senior managers. 

By focusing on the key areas we’ve discussed and supported with financial figures, you’ll be on track to presenting a strong business case that will receive buy-in from the board.

Need Help With Creating Your Cyber Security Business Case?

Then you’ve come to the right place. Our guide has all the information you need to determine security ROI, maximise ROI and build a business case to present to the board. Download now to find out more about information security investment.