With the global average cost of a data breach totaling $3.86 million in 2020, the topic of security continues to be a major pressure point and a board-level agenda item. So why do security programs still seem to lack adequate funding, urgency and support until a breach or lawsuit occurs or auditors demand change? Verizon’s 2021 Data Breach Investigations Report analyzed 29,207 incidents, of which 5,258 were confirmed data breaches compared to 3,950 confirmed data breaches in 2020. This means more executives are going to wish they spent more time, attention and resources on this area, but might still balk at cybersecurity costs.
According to Forrester, 60% of 679 global enterprise security decision-makers who sit in IT and have the seniority level of manager, director or vice president increased their IT budget for security in 2020, which is an improvement over past years. But Forrester also says businesses or agencies “with lower budgets tend to lack the visibility, expertise and situational awareness to identify that attackers have gained a foothold in the environment”. This helps explain why the average time to spot a breach can be as long as 228 days based on IBM’s Cost of Data Breach Report 2020. That’s a long time to wait for bad things to happen.
Justifying Cybersecurity Costs Can Be an Uphill Battle
It isn’t always easy to convince executives that these efforts or projects are important enough to justify the cybersecurity costs. They don’t always see that good defense requires ongoing investments coupled with effective and consistent leadership and deployment. Some C-suite members approve millions in security spending but consider it a waste of money if nothing bad happens. Conversely, some approve millions in spending, encounter a data breach and consider it a waste of money because something bad did happen.
Of course, different people have competing needs and finite resources. So, part of the problem is that those selling security may not fully explain that there is no such thing as 100% protection and that it’s really about managing risk. The other part of the problem is a lack of a valid business case that demonstrates how results can be delivered and the value they can bring.
Often, there’s an easy selling point for digital safety investments and spending. After all, it improves the overall posture and reduces risk. But how do you measure that? Security workers need to redesign a path toward an approach for making business cases in terms that executives can understand. That way, they can directly connect cybersecurity costs to and align with broader strategic goals and objectives. Building more effective business cases can help gain investment dollars and increased control for a budget not always under their department’s direct supervision or management.
The C-Suite Has Heard This Before
Having better business cases to justify cybersecurity costs improves the odds of managing risk well and project success. That’s because they generate greater stakeholder commitment and support. Effective business cases also avoid common shortfalls. Employees often ask the C-suite to approve large capital investments that:
- Don’t align with corporate plans, strategies and objectives
- Focus on tech rather than on the needed changes in processes and people that will really achieve the benefits
- Ignore major risks or how to mitigate those risks
- Don’t quantify potential benefits, who will achieve them or how to measure them
- Have little or no input or ongoing commitment from stakeholders
- Don’t help to put new ways of working in place and show the resulting benefits
- Don’t guide the projects from analysis through to rollout
- Aren’t written out and explained clearly and credibly.
With these problems, the C-suite might not want to hear your investment decisions or approve your proposed cybersecurity costs.
The first step in this process is to define the project well enough so decision-makers can make informed choices. A business case should help the C-suite understand the business value of the investment and decide whether to fund it. From there, they can justify and guide the subsequent work. In short, business cases can drive results (not just promise them) as long as you also follow through.
Build a Better Business Case
Here’s how security workers can help build effective business cases and leverage their use.
First, develop business cases together. To develop an effective business case, use a business-driven, inclusive process. That includes involving stakeholders to ensure approval and ongoing support. Focus on how the business will achieve changes related to people, processes and tech through the cybersecurity costs you’ll leverage. Be specific about potential benefits and who will achieve them.
Next, fully document and express your efforts. Effective business cases fully document and clearly present the plan in multiple ways. First, conduct a risk quantification to gain buy-in by translating your need into the financial language of the C-suite and the board. Running a cost-benefit analysis on risk mitigation options also provides informed decision-making about cybersecurity costs. An effective business case will provide a strategic view of risk management. It gives the C-suite insight into the likelihood and impact of digital threats. And finally, for best results link the business case to business strategies, plans and objectives and describe the major risks, along with how they will be fixed.
Lastly, leverage business cases after approval. Effective business cases add value throughout the entire project life cycle. After the first step is done, you can use them for guiding and assessing the project. They also come into play when tracking how well your organization is using people, process and technology changes and realizing benefits.
How to Justify Cybersecurity Costs and Stay Safer
People often view business cases only as documents for gaining funding. Once approved, the people who first made the business case simply put it away. Businesses may track project costs against estimates, but don’t always track the business benefits the projects achieve. However, doing this when it comes to making plans for cybersecurity costs is only half of the job.
Since digital defense is an ongoing challenge as attackers change tactics, every business case is a critical input. Looking at those from the right angle matters when it comes to getting funding and investment appraisal or prioritization, operational control and coordination and benefits realization. As a result, it’s important to choose the right investments and make sure they deliver. Sometimes, business cases can fall short. But security workers can revamp their approach and build effective business cases by avoiding common shortfalls and focusing on results and the value they bring.
Cloud Security and Compliance Leader, IBM Cloud