With the global average cost of a data breach totaling $3.86 million in 2020, the topic of security continues to be a major pressure point and a board-level agenda item. So why do security programs still seem to lack adequate funding, urgency and support until a breach or lawsuit occurs or auditors demand change? Verizon’s 2021 Data Breach Investigations Report analyzed 29,207 incidents, of which 5,258 were confirmed data breaches compared to 3,950 confirmed data breaches in 2020. This means more executives are going to wish they spent more time, attention and resources on this area, but might still balk at cybersecurity costs.

According to Forrester, 60% of 679 global enterprise security decision-makers who sit in IT and have the seniority level of manager, director or vice president increased their IT budget for security in 2020, which is an improvement over past years. But Forrester also says businesses or agencies “with lower budgets tend to lack the visibility, expertise and situational awareness to identify that attackers have gained a foothold in the environment”. This helps explain why the average time to spot a breach can be as long as 228 days based on IBM’s Cost of Data Breach Report 2020. That’s a long time to wait for bad things to happen.

Justifying Cybersecurity Costs Can Be an Uphill Battle

It isn’t always easy to convince executives that these efforts or projects are important enough to justify the cybersecurity costs. They don’t always see that good defense requires ongoing investments coupled with effective and consistent leadership and deployment. Some C-suite members approve millions in security spending but consider it a waste of money if nothing bad happens. Conversely, some approve millions in spending, encounter a data breach and consider it a waste of money because something bad did happen.

Of course, different people have competing needs and finite resources. So, part of the problem is that those selling security may not fully explain that there is no such thing as 100% protection and that it’s really about managing risk. The other part of the problem is a lack of a valid business case that demonstrates how results can be delivered and the value they can bring.

Often, there’s an easy selling point for digital safety investments and spending. After all, it improves the overall posture and reduces risk. But how do you measure that? Security workers need to redesign a path toward an approach for making business cases in terms that executives can understand. That way, they can directly connect cybersecurity costs to and align with broader strategic goals and objectives. Building more effective business cases can help gain investment dollars and increased control for a budget not always under their department’s direct supervision or management.

The C-Suite Has Heard This Before

Having better business cases to justify cybersecurity costs improves the odds of managing risk well and project success. That’s because they generate greater stakeholder commitment and support. Effective business cases also avoid common shortfalls. Employees often ask the C-suite to approve large capital investments that:

  • Don’t align with corporate plans, strategies and objectives
  • Focus on tech rather than on the needed changes in processes and people that will really achieve the benefits
  • Ignore major risks or how to mitigate those risks
  • Don’t quantify potential benefits, who will achieve them or how to measure them
  • Have little or no input or ongoing commitment from stakeholders
  • Don’t help to put new ways of working in place and show the resulting benefits
  • Don’t guide the projects from analysis through to rollout
  • Aren’t written out and explained clearly and credibly.

With these problems, the C-suite might not want to hear your investment decisions or approve your proposed cybersecurity costs.

The first step in this process is to define the project well enough so decision-makers can make informed choices. A business case should help the C-suite understand the business value of the investment and decide whether to fund it. From there, they can justify and guide the subsequent work. In short, business cases can drive results (not just promise them) as long as you also follow through.

Build a Better Business Case

Here’s how security workers can help build effective business cases and leverage their use.

First, develop business cases together. To develop an effective business case, use a business-driven, inclusive process. That includes involving stakeholders to ensure approval and ongoing support. Focus on how the business will achieve changes related to people, processes and tech through the cybersecurity costs you’ll leverage. Be specific about potential benefits and who will achieve them.

Next, fully document and express your efforts. Effective business cases fully document and clearly present the plan in multiple ways. First, conduct a risk quantification to gain buy-in by translating your need into the financial language of the C-suite and the board. Running a cost-benefit analysis on risk mitigation options also provides informed decision-making about cybersecurity costs. An effective business case will provide a strategic view of risk management. It gives the C-suite insight into the likelihood and impact of digital threats. And finally, for best results link the business case to business strategies, plans and objectives and describe the major risks, along with how they will be fixed.

Lastly, leverage business cases after approval. Effective business cases add value throughout the entire project life cycle. After the first step is done, you can use them for guiding and assessing the project. They also come into play when tracking how well your organization is using people, process and technology changes and realizing benefits.

How to Justify Cybersecurity Costs and Stay Safer

People often view business cases only as documents for gaining funding. Once approved, the people who first made the business case simply put it away. Businesses may track project costs against estimates, but don’t always track the business benefits the projects achieve. However, doing this when it comes to making plans for cybersecurity costs is only half of the job.

Since digital defense is an ongoing challenge as attackers change tactics, every business case is a critical input. Looking at those from the right angle matters when it comes to getting funding and investment appraisal or prioritization, operational control and coordination and benefits realization. As a result, it’s important to choose the right investments and make sure they deliver. Sometimes, business cases can fall short. But security workers can revamp their approach and build effective business cases by avoiding common shortfalls and focusing on results and the value they bring.

More from Cloud Security

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Cloud threat report: Possible trend in cloud credential “oversaturation”

3 min read - For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand.A recent X-Force Cloud Threat Landscape Report has shed light on this fact, revealing a new trend in the average prices for stolen cloud access credentials. Since 2022, there has been a steady decrease in market…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today