Budgets are not infinite and organizations must align their spending to focus on core competencies. As a result, priorities do not always favor cybersecurity. Often I have been asked to join an organization and help them clear a specific hurdle, whether due to previous failed attempts or the identification of an incident prompting a response. What usually comes next is a great deal of frustration from the various in-house teams. My team arrives asking the same questions and requesting the same information that these folks have provided several times before. My role, in these cases, isn’t to come in and blame either party, that is because lack of communication tends to cause this disconnect. Instead, my team’s job is to help develop a strong investment business case and create an influential package that helps empower senior leadership to truly understand the need for this investment, which includes revamping communication practices to make them more effective.
Creating a Business Case for a Cybersecurity Budget
Consider the following:
1. What is the reason or focus of this investment?
If an incident has occurred, you can use that as an example to highlight an immediate need. If the incident was prevented or mitigated and a negative impact was avoided, there may be a need a determine the cause, in hopes that future incidents can be prevented.
2. How were previous investments received and where did the spending go?
Have all previous investment requests failed? Worse yet – was a previous investment spent poorly? If so, you may be able to add lessons learned to your business case and avoid any similar failures.
3. Trends and expectations on why this spending is needed – be industry specific.
These trends can be used to strengthen the argument, especially if you are referencing outside authority figures, such as the National Cyber Security Centre’s findings
4. Alignment with the overall business and avoiding assumptions.
Organizations struggle with effective communication. If you’re building an investment program that requires business champions to adequately test solutions prior to the organization’s go-live, it would behoove you to highlight the need for resource availability at the onset of the investment. If you incorrectly assume resource availability in this instance, the impact on your investment proposal could prove detrimental. In essence, your budget would be grossly skewed and your time frame would be inaccurate
5. Current state of affairs, any regulatory requirements, and alignment with the organizations’s risk register.
Be sure to address these items up front and don’t underestimate their importance.
6. How will the business be impacted during this investment?
Will there be a temporary loss of resources? Will it impact end users? You must consider the potential impact your investment will have on the organization. If concern is expressed, you need to be ready to respond
At times it can be challenging to create a clear and concise plan that details the reason for the investment. You can start by asking the following questions:
7. Why does the organization need to make this investment?
You have to be able to justify the spending. Change for anyone is scary and it can have a noticeable impact on productivity. Regardless of what the change is, make sure that you can demonstrate the reason for this change and address any expected or unexpected disruptions. Build a clear and concise breakdown of the requirement/reason for spending, options for investment, and outcomes depending on decisions made.
8. Who or what will benefit from this investment?
Will the operations team glean the most benefit? Will the effort strengthen your company’s overall security posture? Will your system resiliency increase tenfold? Will the end users see a great improvement in their experience? It is highly unlikely you will be the sole person and/or department looking for investment. As a result, you should look at the big picture and consider including a holistic view of the benefits that will be derived from this investment.
9. When will the investment produce a return or show success in the metrics?
When will the investment produce a return or show success in the metrics? If you have data on when the organization may realize financial benefits or increases in productivity, be sure to include these findings in your investment case. You can spend time looking through other reported improvement programs to get a rough idea of the typical length of time it takes to realize these benefits.
10. How will success be measured?
If not properly measured, it will be next to impossible to see movement, either positive or negative. To have any sort of credibility to your business case, you must include a way to measure this. Consider when organizations implement phishing campaigns, for example. While knowing who ‘fell victim’ to the phish is often calculated, there are many other important metrics that are usually forgotten:
- Who opened the Phishing email(s) vs who did not. Several folks could have simply missed the email..
- Who clicked the link or opened the attachment. If someone was able to recognize from the wording it didn’t look right and click the link, that is largely positive.
- Who entered details or credentials. If you were running a credential harvesting Phishing campaign where individuals clicked a link or opened an attachment, but stopped short of entering their user credentials, that would be considered a small victory.
- Who reported the Phishing email(s). If someone was a victim of the phish, but recognized their misstep shortly thereafter and reported themselves, that would also exemplify a positive takeaway. On the other hand, if the person ‘fell victim’ but failed to report it, that would serve as another metric as well – albeit one that wasn’t as positive.
11. Where have we started?
Create a baseline for your current landscape, including workflows, productivity, risks, and whatever sort of improvement you’re looking to realize as a result of the investment. Without this baseline, you won’t actually be able to discern the changes that resulted – good or bad.
12. What does success look like?
In the above phishing example, the effort is viewed as a success if employees chose not to click the malicious link or open the attachment. However, a degree of success would also include those individuals who reported the email. Without noting that second aspect you would be unable to assess employee behavior during these exercises, and it would be incredibly difficult to measure any improvements in behavior going forward. If you want to increase your chances of having your investment proposal approved, take the time to document what every avenue of success looks like – even small areas, like a company’s perception of cyber security. It is also important to note that at times the measure(s) of ‘success’ look different across all teams – consider documenting your version of success and discussing with senior leadership to obtain their vision of success – don’t assume their outlook is the same.
A child once taught me that the best way to get what they want is to start out big! They started out by asking one parent for something extraordinary, such as a pet pony. After the parent denies the initial request, the child then asks for a hamster. At this point, the parent will mull the request over, and the child Theo would go to their other parent, bringing up the initial request for a pony. When the second parent hears this, they discuss with the first parent, and the proposition of a hamster becomes far more reasonable in their minds, which typically ends in that request being granted.This example, in essence, is a form of social engineering. Whilst I would advise against using this approach when it comes to investment business cases, there is something that can be learned from this child – the power of influence
One of my favorite books that touches on the concept of influence is called Phishing: Dark Waters. It highlights the methodology of effectively implementing phishing awareness training. One part of the book talks about Social Engineering and describes it as a scale between influence and manipulation – typically the end result is the same, but the process you take to get there differs. When presenting your request for a budget, you’ll rely heavily on your ability to influence by identifying your audience, what they value, what they understand, and how they think. From there, you’ll present the most appropriate and supportive arguments to influence their decision, while using facts, company history, trends and the risk register to build a strong and persuasive case.
Presenting your Investment Business Case
When preparing to present your plan to senior leadership, consider your relationship with those individual(s). Have you worked together long? Is there a mutual respect and understanding between you?
If so, you’re starting out on a positive note, and you can move forward in building the evidence and collateral needed to justify the budget request.
If you’re new to this role or simply have not yet developed that level of trust with your leadership, you must consider their expectations, understanding, and needs. While you are the expert in the field, these leaders are tasked with making educated decisions for not only the betterment of cybersecurity but the organization as a whole. When presenting your case, consider the following: questions you expect to be asked, where their focus lies, and their overall understanding of the cybersecurity posture.
While there is no guarantee your investment will be seen as a priority, by focusing on the overall organizational needs, general perception of the cybersecurity posture, and highlighting the improvements that will be realized – you can be confident others will start to understand the connection between cybersecurity and the organization.
Enhancing the Overall Investment Business Case
Communication and Integration of the Cybersecurity Operations Team Across the Organization
In one instance, my team was called in to assist an organization that was struggling to consolidate technologies across multiple separate global offices. What’s more, a few were separate businesses that had merged into this larger house. Previously, offices were allowed to assess, test, and implement technology solutions as they saw fit – without approval from central management. This anonymity was seen as beneficial for the local office but resulted in massive technical debt and a litany of integration issues when the organization had decided to centralize. As part of my team’s effort, separate office cultures and processes had to be assessed and understood, the solutions had to be re-trialed and tested against a much larger scope, and the historic culture of validation and purchasing of solutions needed a significant overhaul. After several prior failed attempts to consolidate, it was determined that outside help was needed to develop a viable solution – which lead to my team’s involvement. While you might feel this example isn’t directly applicable to your business case, you may start to realize that departments typically act as separate offices, albeit on a much smaller scale. Because of this, teams may fail to communicate with one another and other groups, such as operations or security, may lack a holistic view of the organization and its objectives. This type of disjointed culture can result in technical debt and, in some cases, even cause incidents to occur.
Enhancing day to day operations
Many years ago in college, I decided to open my own business. The offering was managed service provider for small to medium sized firms. From this experience, I learned that several organizations tend to employ third parties that simply build a cookie cutter infrastructure and leave. This approach led to nice technology that didn’t align with the needs of the organization and, in some cases, even overlooked major requirements. From there, temporary workarounds would be implemented, which often led to an increase in the use of shadow IT. Unfortunately, these workarounds would not directly address the major concerns and were only meant to serve as a “stop gap”. As you probably guessed, however; these “stop gaps” typically turned into permanent solutions.
When your investment changes the way people work, those persons are usually afraid of change; this is normal and should be expected. In order to really showcase the benefits of the investment, try holding a functional and non-functional requirements gathering campaign. Creating workflows that accurately reflect daily operations and including outside parties in that process will enhance their buy-in and establish trust. Or, if you cannot host this prior to the business case proposal – which is understandable – make sure to host during the first phase of the investment, and make all aspects of your business case clear to your stakeholders. This includes the owner(s)/project manager of the investment, purpose of the investment, and benefits to be gleaned as a result of its implementation.
In situations where your investment request will both enhance the security posture and enable effective documentation of user workflows, it can lead to less disruption to the business and greater efficiencies being realized across departments. I’ve also seen investments include hardware and infrastructure improvements or better cloud-based offerings which can speed up access to resources and lead to a healthier bottom line. Regardless of your investment goals, be sure to utilize a proper form of internal marketing that emphasizes the positive benefits end users will see:
Empowering core competencies of the business
As mentioned previously, most businesses’ core competencies do not include cybersecurity. Therefore, when building an investment plan, ensuring that the plan’s objectives align with the direction, needs, risks, and compliance requirements of the business. If you struggle with this, consider using a trusted adviser like ITEGRITI to perform a GAP analysis or help provide with you a baseline of your organization’s security posture. Understanding the needs of your organization will facilitate better strategic planning and could lead to more inclusive investments.