The current strong economic contractions mean that companies are under pressure to produce more (with less) while demonstrating high returns on investment.
The question often asked is what should be the budgetary priorities? Unfortunately, when it comes to investing in cybersecurity because it is barely visible (as long as it is functioning), many companies still view cyber resilience as an expense.
If you are a security guard who is desperate to defend your budget, there is an easy way to persuade management to give you the money you need. Relate your numbers to what management is really interested in (hint: ROI!).
2020 has turned out to be an important year for cybercrime, with violations making the news far too often. For example, Marriott revealed that the personal data of around 5.2 million hotel guests had been fraudulently accessed as of mid-January. In another incident, the personal data of more than 10.6 million guests at MGM Resorts properties was shared on a hacking forum. Notably, 500,000 Zoom user accounts were listed for sale on a dark web forum.
Currently, we are at a stage where every business should be open to investing in cybersecurity. Security guards must develop a compelling business case for the same.
While it is not easy to adapt current practices, clear communication about the importance of a good faith risk assessment (not forgetting the financial factor) can encourage your management team and the board. to support a transition.
Consider the following.
Run a VSFull audit
Perform a detailed inspection of your current security posture. This includes recognizing where your sensitive data assets reside, who wants to access them and, more importantly, who has access to them.
Many security guards do not realize the risks of possible data loss through recklessness, malicious insiders. Not all data presents the same level of risk, and no organization should grant special rights to an employee to access all of their organizational data.
Although this can take time, it is necessary to have a broader view of the actual location of your security measures.
Put it on Rthe night Eexpectations from the start
Cyber security is not a product or a service. Protecting a business from losses is the only way it can gain a financial advantage. It would help if you showed how this could make a decisive impact on your organization’s budget while also making your business case.
The trick is to speak the language of numbers. For example, if you can explain how a $ 1 investment would end an event that could cost the company $ 10, you can ask management to vote your way.
Formulate the Rreturn on investment (ROI)
A number of direct savings can be measured based on the size of a business, using the labor savings budget items defined as full-time equivalent / (FTE) cost savings per year and reducing costs associated with software systems and services to aid the cybersecurity management process.
Direct savings can be as high as $ 100,000 to $ 150,000 per year for small organizations. The number for large multi-unit businesses is typically between $ 200,000 and $ 300,000.
You can also take into account the indirect costs of FTE activities, including:
- Activities related to compliance with data security requirements.
- Partnership with third party security providers.
- Reduced cost of insurance against cyber attacks.
- Resell cyber risk management services to consumers.
They add up to an additional four to six FTEs and savings / new income in the range of $ 100,000 and more.
Determine the RInvestment areas
Give your management the data that will drive their investment decision. If visible, focus on the series of threat vectors already present, such as:
- Limited and inadequate services for employee training and security awareness.
- Insufficiently recorded and enforced policies and processes.
- Undocumented proposals for untested disaster recovery and business disruption.
- Lack of device backup, patch updates, and patch practices.
Formulate a risk / reward equation using a layered security approach. You can then begin to direct your investments towards compliance detection and incident response.
Presenting Your Business Case
So you have developed a substantial and compelling business case for your organization. Now you need to present your proposal to senior management. There are a few things you should keep in mind.
What’s your equation with them? Have you been working together for a long time? Is there a shared understanding and respect between you?
Yes. Then you start on a good note. You can do this by showing the evidence and guarantees required to support your budget request.
But if you’re new and haven’t established a level of trust in your board members yet, you need to anticipate their expectations and prepare in advance. These decision makers must make informed choices not only for the advancement of cybersecurity, but also for the business as a whole.
Consider aspects such as questions they may ask, where their focus is and their general understanding of cybersecurity, when dealing with your business case.
Overall, the trick to submitting a solid business case is to arm yourself with good grades. Align your investment plan with the needs, risks and compliance requirements of your business. Additionally, knowing your organization’s needs would simplify strategic planning and lead to more equitable investments.