{"id":1609,"date":"2020-02-21T14:05:22","date_gmt":"2020-02-21T14:05:22","guid":{"rendered":"http:\/\/72.52.228.46\/~itegriti\/?p=1609"},"modified":"2021-04-12T02:54:57","modified_gmt":"2021-04-12T02:54:57","slug":"creating-business-case-cybersecurity-budget","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2020\/cybersecurity\/creating-business-case-cybersecurity-budget\/","title":{"rendered":"Creating a Business Case for a Cybersecurity Budget"},"content":{"rendered":"

Budgets are not infinite and organizations must align their spending to focus on core competencies. As a result, priorities do not always favor cybersecurity. Often I have been asked to join an organization and help them clear a specific hurdle, whether due to previous failed attempts or the identification of an incident prompting a response. What usually comes next is a great deal of frustration from the various in-house teams. My team arrives asking the same questions and requesting the same information that these folks have provided several times before. My role, in these cases, isn\u2019t to come in and blame either party, that is because lack of communication tends to cause this disconnect. Instead, my team\u2019s job is to help develop a strong investment business case and create an influential package that helps empower senior leadership to truly understand the need for this investment, which includes revamping communication practices to make them more effective.<\/p>\n<\/div>

Creating a Business Case for a Cybersecurity Budget<\/strong><\/h2><\/div>

Consider the following:<\/p>\n

1.\u00a0 \u00a0 \u00a0 What is the reason or focus of this investment?<\/h4>\n

If an incident has occurred, you can use that as an example to highlight an immediate need. If the incident was prevented or mitigated and a negative impact was avoided, there may be a need a determine the cause, in hopes that future incidents can be prevented.<\/p>\n

2.\u00a0 \u00a0 \u00a0 \u00a0How were previous investments received and where did the spending go?<\/h4>\n

Have all previous investment requests failed? Worse yet – was a previous investment spent poorly? If so, you may be able to add lessons learned to your business case and avoid any similar failures.<\/p>\n

3.\u00a0 \u00a0 \u00a0 \u00a0Trends and expectations on why this spending is needed – be industry specific.<\/h4>\n

These trends can be used to strengthen the argument, especially if you are referencing outside authority figures, such as the National Cyber Security Centre\u2019s findings<\/p>\n

4.\u00a0 \u00a0 \u00a0 \u00a0Alignment with the overall business and avoiding assumptions.<\/h4>\n

Organizations struggle with effective communication. If you\u2019re building an investment program that requires business champions to adequately test solutions prior to the organization\u2019s go-live, it would behoove you to highlight the need for resource availability at the onset of the investment. If you incorrectly assume resource availability in this instance, the impact on your investment proposal could prove detrimental.\u00a0 In essence, your budget would be grossly skewed and your time frame would be inaccurate<\/p>\n

5.\u00a0 \u00a0 \u00a0 \u00a0Current state of affairs, any regulatory requirements, and alignment with the organizations\u2019s risk register.<\/h4>\n

Be sure to address these items up front and don\u2019t underestimate their importance.<\/p>\n

6.\u00a0 \u00a0 \u00a0 \u00a0How will the business be impacted during this investment?<\/h4>\n

Will there be a temporary loss of resources? Will it impact end users? You must consider the potential impact your investment will have on the organization. If concern is expressed, you need to be ready to respond<\/p>\n<\/div>

At times it can be challenging to create a clear and concise plan that details the reason for the investment. You can start by asking the following questions:<\/p>\n

7.\u00a0 \u00a0 \u00a0 Why does the organization need to make this investment?<\/h4>\n

You have to be able to justify the spending. Change for anyone is scary and it can have a noticeable impact on productivity. Regardless of what the change is, make sure that you can demonstrate the reason for this change and address any expected or unexpected disruptions. \u00a0Build a clear and concise breakdown of the requirement\/reason for spending, options for investment, and outcomes depending on decisions made.<\/p>\n

8.\u00a0\u00a0\u00a0\u00a0\u00a0 Who or what will benefit from this investment?<\/h4>\n

Will the operations team glean the most benefit? Will the effort strengthen your company\u2019s overall security posture? Will your system resiliency increase tenfold? Will the end users see a great improvement in their experience? It is highly unlikely you will be the sole person and\/or department looking for investment. As a result, you should look at the big picture and consider including a holistic view of the benefits that will be derived from this investment.<\/p>\n

9.\u00a0 \u00a0 \u00a0 When will the investment produce a return or show success in the metrics?<\/h4>\n

When will the investment produce a return or show success in the metrics? If you have data on when the organization may realize financial benefits or increases in productivity, be sure to include these findings in your investment case.\u00a0 You can spend time looking through other reported improvement programs to get a rough idea of the typical length of time it takes to realize these benefits.<\/p>\n

10.\u00a0\u00a0\u00a0\u00a0\u00a0 How will success be measured?<\/h4>\n

If not properly measured, it will be next to impossible to see movement, either positive or negative. To have any sort of credibility to your business case, you must include a way to measure this. Consider when organizations implement phishing campaigns, for example. While knowing who \u2018fell victim\u2019 to the phish is often calculated, there are many other important metrics that are usually forgotten:<\/p>\n