Making a business case for security in a world of tightening budgets
With talk of a possible recession approaching (if one isn’t already upon us), many businesses are already applying a higher level of scrutiny to spending—even for business-critical costs like cybersecurity. As budgets begin to tighten, security and IT leaders need to anticipate discussions with executive leaders and start proactively preparing a formal business case for their security program to ensure funding for upcoming projects.
Ultimately, your business case needs to “sell security” to the management team. This is really all about building trust. Maybe the most common mistake in building security business cases is the use of alarmism. While the rising numbers of breaches and growth of ransomware attacks may be valid data points to include, stoking fear doesn’t demonstrate the value of cybersecurity. “If we don’t do this security upgrade, we’re going to get hacked, sustain major losses, and/or violate compliance requirements”. These are weak arguments—and all they tend to do is upset the management team because they feel like they’re backed into a corner without understanding any of the tangible benefits of what’s being proposed.
CISOs and CIOs should keep a few key tips in mind as they head into future budgeting cycles and start to build out business cases for their security programs.
Teamwork makes the dream work
Security is a team sport—and one of the first mistakes I see with security business cases has to do with human resource requirements. Participating groups outside of security are often left out of the planning phase. If you don’t involve all the key supporting players early in the process, they may not be able to support the project at the time of implementation because they haven’t been given the chance to provide valuable input or allocate the requisite capacity and resources when needed.
This is especially important when it comes to the IT team. In the past, security and networking largely worked in their own domains. But as infrastructures have evolved and consolidated, there are more interdependencies between security and networking than ever before. IT teams and security teams need to work together from early on when building a business case. This also means bringing in the endpoint team, as many security teams will need a client installed on the endpoint, which means the IT Architect will need to be involved to help orchestrate the other teams.
Connect security to the overarching business strategy
When writing any business case, you need to know your audience—what they’re working on now, any potential problems you can help them solve, and any potential changes to the business on the horizon. Security objectives need to be synchronized with the broader goals of the business as well as important changes where security can improve outcomes.
This might include mergers and acquisitions (M&As)—where security should play a critical role at every stage. It might include legal issues around customer privacy, expanding into a new global region, or giving a strategic partner controlled access to intellectual property. Or it might include sudden changes to the company’s profit and loss (P&L) status. It might even allow for quicker enablement of new organizations, improved risk identification, or better overall integration.
Review your project and decide on the most powerful benefits. Remember that the order of priority is: (1) generation of revenue, (2) cost savings, and (3) cost avoidance.
To gain that sort of inside understanding of what executive management is broadly trying to achieve, security and network leaders need to regularly attend executive staff meetings. That strategic grounding can help you point to the positive impact security has on:
- Enabling agility—a seamless user experience, enabling the business to move at the speed of the market, and ensuring that critical decisions can be made based on the latest data.
- Controlling costs—analyzing security’s total cost of ownership (TCO), maintaining operational efficiency, and optimizing your cloud spend.
- Managing risk—protecting critical assets, ensuring stability and resiliency, and training your people to be better digital citizens.
Security and network leaders should also be presenting regular status updates to report on current progress, educating their management team, and setting advanced resource expectations for future budget cycles. Make sure you’re not just talking about what you’re doing this year, but also the things that are coming up next year. This feedback loop will help build alliances with management stakeholders—meet with them, go through their plans, and communicate how your plan supports their plans.
Include the right data points
Another common misstep is pulling in an overwhelming volume of data that may not mean much to the audience at the end of the day. For example, too many annual loss expectancy (ALE) computations can be eye-glazing—plus they’re often built on assumptions that are hard to quantify.
Security and networking leaders need to carefully choose metrics that matter to the business. One way of doing this can be benchmarking your program against what your competitors are doing. An annual assessment can help you demonstrate how your program is performing today—and highlight areas where it may be falling short of competitors or industry best practices.
You should also try to include “smart metrics”—which means using numbers that tie an achievement back to a business benefit. “We blocked a million phishing attempts” may sound impressive, but it’s kind of an empty number because it lacks business context. But if you instead say, “We responded to 20 incidents within 120 minutes last month, five of which were targeting critical business systems,” that tells a better story about security’s value to core operations and how fast you were able to resolve the issues.
Show them the money
The weakest justifications for security are cost avoidance and compliance. Making a business case for governance can be particularly tricky without resorting to alarmism.
“We are required to comply with PCI standards,” or “Our competitor was fined X-amount for violating GDPR rules.” While legal and regulatory requirements may be relevant facts, they don’t convey a positive measurable value to management.
However, if one of your top customers contractually requires PCI compliance or a significant portion of your sales comes through EU-based partners where GDPR is mandated, that’s a different story. Many customers will have security requirements for doing business with your company—so your team can rightfully claim responsibility for helping to land or retain those earnings.
Maybe the best way to show the monetary value of risk reduction is to talk about it as “enhancing revenue”—security as a cost center that helps bring cash into the organization. I once went into a budget conversation with the CEO and CFO and my opening was to say that my team drove $800 million in revenue the previous year. That got their attention. When you reframe the conversation from security being just another cost center to being a revenue-driving center—it works.
But it’s also important to consider whether you can close the review loop when the project is complete. A year after the budget is approved, you’ll need to do a post review that evaluates whether the organization is seeing the proposed benefits of the investment. If your business case overstated the value of the project, future requests may be treated with skepticism.
Selling security in a buyer’s market
Sooner or later, every business interrogates its spending with an eye on eliminating costs. Right now, security should be low on the list of line items where organizations choose to cut funding. But you can’t assume business leaders will inherently understand the broader value of security when every business unit may be desperately justifying its budgetary footprint.
An effective business case for security needs to be grounded in what matters to your organization. That means you need an interior understanding of what the business is doing and how security will be an essential enabler of those goals. And it requires some long-game relationship-building to ensure management understands all the positive impacts your projects will make on the organization—now and in the future.