Lepide Blog: A Guide to IT Security, Compliance and IT Operations

How to Build a Business Case Proposal for Information Security

How to Build a Business Case Proposal for Information Security

Confidential data is at risk, and the threats to data are likely to increase over the next 12-18 months.

At present, analytics predict that there is a 40% chance that any organization could fall victim to an insider threat if proper actions are not taken to improve prevention, detection and response capabilities.

Why then, do so many security professionals struggle to get budgets approved for appropriate security solutions?

The answer, as we see it, is that the board are still thinking reactively. Unfortunately, it is all too common to see the board of directors take the view that because an incident has not occurred (that they know of) then it’s not a problem that needs fixing. It’s certainly not something that big budgets need to be approved for.

Many CISOs, CIOs and other security leaders, struggle to convey how necessary it is to view security threats as imminent problems that must be resolved right now.

To do that, you have to speak in the language of the board, and often that takes the form of an official business case proposal. So, where do you start? In this blog, we’ll go through the sections of a business proposal that you need to have to present to the board and secure funding for data security solutions and projects.

Step 1 – Know the General Business Initiatives that Matter to the Board

In most cases, the business initiatives that your organization will be targeting can be split into two categories: growth initiatives and protective initiatives.

Growth initiatives, as the name suggests, deal with ways in which the business can grow and increase revenue and productivity. In terms of the IT and security team, this can include digital transformation, data governance, automation and other efficiency drivers.

Protective initiatives are mainly related to ensuring the business is saving time and money where it can, preventing negative press coverage, securing sensitive information and maintaining both compliance and business continuity.

Ensure you know specifically what business initiatives your company has and how your information security strategy aligns with these initiatives.

Step 2 – Understand the Specific Risks to Your Business

Once you have understood the goals of the business, you need to know what threats you are likely to face that undermine those goals. This is where you need to get as specific as possible. There are many reports and analyses that are free to read and easy to find that will provide useful facts and figures for security threats in your industry.

Be specific, look to include statistics that are specific to companies of your size and sector. Keep the information limited to bullet points and use percentages where you can. For example, “Hospitals account for 30% of all large data breaches” and “There is a 76% chance of a data breach involving over 5 million records in the next 12 months”.

Make sure that you understand both the current risks to your data and how those risks are likely to evolve over the next few years at least. There’s plenty of speculation about how security threats are likely to evolve that you can draw from here. Ensure you relate it back to your business initiatives and how those threats might impact your goals.

Step 3 – Do an Impact Assessment

In this section of the business case, you need to align the current threats to your business objectives. If you were to be the victim of a security breach, what are the likely impacts to your business?

This could include the cost of compliance fines damaging the bottom line, the impact to share price from the negative press fallout, job security of board members, customers lost to competitors, cost of response and mitigation and more.

Step 4 –Assess How Prepared You Are to Prevent, Detect and Respond to Threats Right Now

Here’s where you need to demonstrate your current abilities to detect and react to the threats that you have already suggested are imminent. If you are relying on native auditing or SIEM solutions alone to detect and react to threats, then it’s likely you’re going to struggle to be effective.

We’ve outlined the below matrix that you can use to demonstrate your effectiveness. Ensure you demonstrate your effectiveness as it pertains to specific threats you’re likely to face, like ransomware, insider threats, privilege abuse etc.

  Capability
Ability Threat 1 Threat 2 Threat 3 Threat 4
Prevent Low Low Moderate Low
Detect High Moderate Low Low
Respond Low Low Moderate Low
Recover High Moderate Low Low

You can also take time to go through what your current methods are for data breach detection and prevention. If you are not currently using third party vendors to assist you, then it’s likely you’ll be able to demonstrate that your capabilities are not suited to the risks that the threats pose.

Step 5 – Do a Risk vs Cost vs Likelihood Analysis

This is probably the most important section of your business case when you are presenting it to the rest of the board. Identify the threats, find out how likely you are to experience these threats in the next 12 months, what the cost of a breach would be to your organization and what the approximate cost of solutions are – you can work our your ROI.

This might look like the following (completed for a hospital in the USA):

Likelihood of falling victim to a data breach 27.7%
Average cost of a compliance fine $5,500,000
Average cost of a data breach in the healthcare sector $6,450,000
Total Impact $11,950,000
((Total Risk / Likelihood) – Cost of Solution
($100,000)) = ROI
ROI per year $3,210,150

We have created a free sample business case whitepaper that you can download and personalize for your organization.

We also ran a webinar on how to create the perfect business case for information security. The recording of this can be accessed here.

If you’d like help creating a detailed, bespoke business case, schedule a free risk analysis with one of our experts.