#HowTo: Build a Business Case for Cybersecurity Investment

Written by

The current steep economic contractions mean companies are under pressure to yield more (with less) while demonstrating high returns on investment.

The question often asked is what should the budget priorities be? Sadly, when it comes to investing in cybersecurity—because it is hardly visible (as long as it's working)—a lot of companies still perceive cyber-resilience as an expense.

If you are a security officer desperately struggling to defend your budget, there is an easy way to persuade management to give you the money you need. Relate your numbers to what the management is really interested in (hint: ROI!).

2020 turned out to be a significant year for cybercrime, with breaches making the news far too often. For instance, Marriott revealed that the personal details of approximately 5.2 million hotel guests were fraudulently accessed in mid-January. In another incident, the personal data of more than 10.6 million guests of MGM Resorts properties were shared on a hacking forum. Notably, 500,000 Zoom user accounts emerged for sale on a dark web forum.

Currently, we are at a stage where every company should open up to investing in cybersecurity. Security officers should develop a compelling business case for the same.

Though adjusting current practices may not be easy, clear communication about the importance of a bona fide risk assessment (not to forget the money factor) can encourage your executive team and the board to support a transition.

Consider the following.

Run a Complete Audit

Conduct a detailed inspection of your present security posture. This includes recognizing where your sensitive data assets reside, who wants access to it, and, more importantly, who has access to it.

Many security officers do not realize the risks of possible data loss by reckless, malicious insiders. Not all data bear the same risk level, and no organization should grant special rights to any employee to access all of their organizational data.

Although this can be time-consuming, it is necessary to get a wider view of where your security measures actually stand.

Set the Right Expectations From the Beginning

Cybersecurity is not a product or a service. Shielding a company from losses is the only way for it to have any financial benefit. It would help if you showed how this could decisively impact your organization's budget while figuring out your business case.

The trick is to speak in the language of numbers. For example, if you can explain how a $1 investment would stop an event that could cost $10 to the company, you can get the management to vote on your side.

Formulate the Return on Investment (ROI)

A number of direct savings can be measured based on the size of a company, using the budget elements of labor savings defined by full-time equivalent/(FTE) cost savings per year and the reduction of costs associated with software systems and services to aid the cybersecurity management process.

The direct savings may amount to $100,000–150,000 per annum for smaller organizations. The number for larger, multi-unit enterprises usually falls within the $200,000–300,000 range.

You can also take into account the indirect costs of FTE activities, including:

  • Activities related to compliance with data security requirements.
  • Partnership with third-party security vendors.
  • Reduction in cyber breach insurance cost.
  • Reselling the cyber risk management services to consumers.

They add up to an additional value of four to six FTEs and savings/new revenue in the $100,000+ range.

Determine the Right Areas for Investment

Give your management the data that will determine their investment decision. If visible, focus on the series of threat vectors already present, such as:

  • Restricted and inadequate services for employee training and security awareness.
  • Policies and processes that are insufficiently recorded and applied.
  • Undocumented proposals for untested disaster recovery and company disruption.
  • Lack of device backup, patching updates and patching practices.

Formulate a risk/reward equation using a tiered security approach. You can then begin directing your investments towards detecting compliance and incident response.

Presenting Your Business Case

So, you have made a substantial, compelling business case for your organization. Now, you need to introduce your proposal to senior management. There are a few things you need to keep in mind.

What is your equation with them? Have you spent a long time working together? Is there a shared understanding and respect between you?

Yes. Then, you are beginning on a good note. You can proceed by demonstrating the requisite proofs and collaterals to support your request for the budget.

But, if you are new and are yet to establish a level of confidence in your board members, you must anticipate their expectations and prepare in advance. These decision-makers need to make informed choices not only for the advancement of cybersecurity but for the company as a whole.

Consider aspects like questions they may ask, where their attention lies, and their general understanding of cybersecurity, when addressing your business case.


All-in-all, the trick to submitting a solid business case is to arm yourself with the right notes. Align your investment plan with the needs, risks, and compliance requirements of your business. Also, knowing your organization's needs would make strategic planning simpler and lead to more equitable investments.

What’s hot on Infosecurity Magazine?