For IT professionals, cybersecurity is a critical (and obvious!) need. But making the case for large sums of money to be invested in cybersecurity can prove daunting — especially if the executives you’re trying to convince are not well-versed in technology. When presenting a business case for why the organization should invest in cybersecurity, refer to these eight best practices to make your ask convincing.
1. Speak the Audience’s Language
Leadership will expect a presentation emphasizing business outcomes rather than the details of how a specific cybersecurity tool or attack vector works. Executives rely on you to be the expert and translate why investing in certain tools or technologies is important for the business. Their main goal will be to understand the “why” – not the details on the “how.” Present your case in a strategic manner by focusing on how your proposed cybersecurity budget will minimize organizational risk and maximize investment. Be specific about risks your company and industry face and back your claims with recent data.
As tempting as it is to dive into what cybersecurity tools you hope to invest in and how they will be used, focus instead on the reasons you need them. The presentation should emphasize how cybersecurity solves a business problem
2. Share the Return on Investment
Executive leadership’s ultimate goal is maximizing profitable revenue and shareholder value – and cybersecurity is an expensive investment. What’s more expensive? Recovering from a crippling attack, losing valuable data, grappling with costly downtime, facing hefty fines and fees from regulatory bodies, and dealing with a major hit to your reputation. You understand that the benefits of preventing a ransomware attack or data breach far outweigh the initial investment. Your executive team may not. Provide data-backed cost/benefit analyses of what investing in cybersecurity can save you in the long-run. How much will it cost if your company goes down for a day or a week? How much does the average data breach in your industry cost? How long will it take to recover if key systems go down? Share those figures and explain how your proposed investment counters them.
3. Set the Stage with Examples + Data
Cybersecurity attacks create major headlines and damage a company’s reputation in addition to their major financial impact. Be prepared to provide concrete examples of cybersecurity attacks in your industry and their outcomes. Ideally, present a range of examples —recent and older. If you have access to examples where an attack was successfully mitigated thanks to cybersecurity measures, share those too. Finally, counteract your ripped-from-the-headlines stories with examples of how your current cybersecurity measures have helped prevent or mitigate incidents at the company. Maybe you invested in employee security awareness training and saw a drastic decrease in clicks on phishing emails. Maybe you have data on the number of breach attempts blocked by your firewall each month. Concrete examples from your company will make the investment in cybersecurity measures feel more worthwhile. If you’re proposing adding new cybersecurity measures to your tech stack, ask that they share effectiveness data that can help move the needle.
4. Underscore Regulations and Compliance
Compliance requirements are top of mind for many executives: They’re a mandate, not a suggestion. As the cybersecurity expert, it’s up to you to maximize your company’s defensibility to compliance frameworks. Your executive team doesn’t need to understand exactly how you’ll accomplish this goal, but they do need to be reminded of the stringent requirements you face, and how cybersecurity measures help them be defensible. Spend a few minutes in your presentation highlighting how your cybersecurity investments help maximize defensibility to compliance requirements, including any industry regulations, state and federal requirements, and mandates from your cyber liability insurance provider.
5. Prioritize Based on Need
Getting your full cybersecurity budget approved is the ideal scenario, but it’s often unrealistic. Be prepared for leadership to approve less, and expect to make concessions. Before the presentation, make a prioritized list of areas of greatest need. Do your firewalls need to be upgraded? Is the IT team in dire need of recertifying in key areas? Is it time to invest in managed security services to free up your internal team’s time? What is most important, and what can wait? Be mindful of what’s top-of-mind for your leadership team – the bottom line – and expect that you’ll need to make some tough choices. Being prepared with priorities will prevent having to scramble later and position you as a helpful business partner who understands the organization’s larger priorities.
6. Get Guidance from a Managed Services Provider
Sometimes, you just need an outside perspective. Managed service providers like TPx consult with hundreds of clients on their cybersecurity budgets and can offer expertise specific to your industry, company size, and total IT budget. They’re invaluable partners in helping companies set priorities, save on costs, and plan for the future. The right MSP can even assist with designing short- and long-term plans to illustrate how resources will be allocated and maximized.
Leverage a Partner During Presentations
Building a cybersecurity budget is no easy task. TPx can help build a robust strategy to maximize your defensibility while lowering your costs. Get in touch to get started.