How to Build Board-worthy Cybersecurity Business Cases

We have looked at Cybersecurity business cases in the past, relating the cost of a proposed solution to the potential cost of a breach. That framework hasn’t gone away – but, there are some other pieces to consider when crafting a cybersecurity business case to truly sway CIOs and board members alike.

Today, we examine what makes up a sound business case for cybersecurity. I pay special attention to how IT stakeholders at SMBs can position such projects to senior leadership, and the particular sections that make up a truly board-worthy case. 

Start With the Basics

While there are some cyber-specific nuances I’ll get to later, bringing the project, budget, and timeline to the forefront is critical for equipping decision makers with the right information. With this framework in mind, many of the details will actually be dictated by the problem you’re attempting to solve. A good place to start is by looking internally at any metrics you have been capturing cybersecurity KPIs (see our blogpost on the best/worst, as well as our Elite SMB Incident Response Guide for guidance on when and how to track potential incidents).

Sponsorships Available

Sponsorships Available

Sponsorships Available

Quantify the Problem

Understanding the costs that organizations face from cybersecurity breaches (and compliance fines sometimes associated with them) is important for demonstrating costs saved. With that said, in examining the psychology of generalizing such figures to your company, it can be really easy to poke holes in the story – differences in data types stored or stolen; different defences in place; differences in how ‘target worthy’ your company seems… It becomes both convenient and easy for leaders to say “this doesn’t apply to our business”. Ensure you are using figures that are applicable to your business.

More than “Just” Breaches

CIOs must be able to articulate their argument by (Read more...)