How To Ask Management For A Cybersecurity Budget: Making Your Business Case

In the past, cybersecurity has often been perceived as a nuisance (a necessary evil even), but this view has evolved over the years, and today, cybersecurity has become a very important business unit, right up there alongside marketing and sales, requiring a budget of its own.  Why?  The reason is clear.  Without cybersecurity, companies simply cannot function, let alone thrive.  This post aims to provide the reader with ammunition in order to be able to speak the language of and resonate with C-suite level executives.  Something of immense importance particularly when it comes to making the case to get the budget you need to achieve a robust security posture for the company’s network.

Let’s begin by acknowledging that it is high time for a mindset change.

By that, I mean that security people need to start changing how they think of themselves and their roles in the company.

The most common objection we hear when discussing the budget with management is, “Why do you need more money if nothing has happened?”, or worse yet, “Why do you even need any money if nothing has happened?”.

We need to start by changing our own mindset and realizing that security is not an expense. We are not a cost center. We are, in a way, a form of insurance yes but do not approach the conversation from that angle since insurance is, at the end of the day, a cost and it does not produce revenue.

Showing the Total Cost of Ownership (TCO) is also not a good approach because we’re still talking about cost (we’ve already discerned how that’s not a good approach) but also, the actual TCO of a security solution, to be properly evaluated, needs to include “your” time. If you do not factor that in, your CEO will; and when he does, you yourself have just become a cost – and costs always need to be reduced so there is that.

The language CEOs understand is one of ROI and profitability.

That’s how conversation needs to go down.

From its definition (ROI = Net Profit over Total Investment times 100 or NP/TI * 100), ROI must be greater than 100 or we have lost money. Our job is to show that the ROI of cyber security investments is greater than 100. That there is indeed a Net Profit to this equation.

We know that gross profit margin is defined as ((Revenue – Cost of goods sold) / Revenue) X 100

A positive ROI contributes to the gross profit margin by either increasing the revenue or decreasing the cost that it took to produce that revenue. Cost reduction is achieved as cost avoidance – if you do not get attacked, you do not incur the recovery costs, which can be very high.

To cite a well-known attack that was in the news for a period of time, Target lost $202M at the end of 2013.  Between loss of records, notifications to clients, forensics, image, loss of revenue, and loss of stock value, the retail giant lost 46% of revenue for the season.  Ouch.

Could your company survive such a hit?

Thing is, if you do not get attacked, you do not incur the costs of an attack. So now the burden is on us, the security guys, to determine how much a security incident could cost our company.  For starters, 60% of small business that suffer a cyber-attack end up going out of business within 6 months. Now, THAT’S a cost.

There is actually a formula to calculate the return on security investments, as proposed by the SANS institute:

ROSI = (ALE x Mitigation Ratio – Cost of solution)/ Cost of solution

ROSI means Return on Security Investment

ALE means Annualized Loss Expectancy and represents the estimated amount of money that will be lost in a single security incident multiplied by the estimated frequency that a threat could strike within the same year.

Mitigation Ratio is an approximate number based on mitigation factors that depend on actions the company is taking to reduce the risk (i.e. having real time backups vs daily backups).

Cost of the solution is clearly what you will spend to avoid the risk altogether. High costs can ultimately negate the value of the solution, if the ROSI ends up being lower than one.

What do you evaluate as part of cost avoidance?

What is the cost of poor security?

That depends a lot on your company and your industry. In general, you will need to consider the time spent diagnosing the issues; time employees spend idling because they do not have a computer to use; loss of productivity; cost of IT personnel to fix the issues and to improve security so the incident does not recur; cost of the new security solutions; cost of forensics analyses, especially when this is required by laws and regulations; and let’s not forget the loss of image, which could be quite incalculable at times. If you are providing something that’s perceived as a commodity, the impact caused by a security incident on your credibility factor may very well propel your clients/customers towards your competitor, and never return.

Even for small companies, where the potential loss is usually <$50,000 per incident, the frequency at which an incident can happen again does justify large ROSIs. Cybersecurity may seem somewhat like a cost; but an attack is clearly and irrefutably one, and it can be a large one.  Substantially large enough to send you out of business. How many small and medium companies (and frankly even large ones) have sufficient cash reserves to continue conducting business even in the face of a 46% revenue loss for several months in a row?

It should be clear from all this that proper cybersecurity delivers ROI in the form of cost avoidance; and the avoided cost, albeit just estimated, can be truly very high, all the way across ‘the entire company’.

Another way of showing how security contributes to the profitability of a company is that it delivers positive ROI (it actually contributes to the revenue, therefore increasing the profitability), is by understanding that in 2019, it has become virtually impossible to do business without proper security. Being able to show to your business partners and clients that you take cybersecurity seriously has become a keen business advantage.

In this day and age, it is near impossible to even do business if you can’t demonstrate proper cybersecurity measures. Companies have learned to conduct due diligence on their vendors and partners; and part of this not only encapsulates a review of financial reports and other aspects of the business itself but also the security posture of prospective business partners.

Security has become non negotiable.

What this means is that in 2019, without proper security, you will find it impossible to conduct business let alone achieve any measure of sustainable success.  Security is no longer something undertaken grudgingly.  Today, security is an important, integral part of every sound company intending to stay in business for the long haul.  Security delivers a positive ROI based on the simple fact that without security, there simply is no company. Security directly contributes to a company’s revenue because without it, there will likely be no revenue at all.

Furthermore, proper cybersecurity provides a real business advantage and true differentiating factor, at a time when still far too many companies are not taking this issue seriously enough.

To conclude, let’s all stop thinking of ourselves as a cost center and some kind of necessarily evil. Let’s consider that cybersecurity is now a profit center, a business unit without which a company might not even exist. When asking for a budget for your department, do not be shy and do not think of it as a cost the company may not be able to afford. Demand the best, and expect to be heard because without you, without cybersecurity, your company would quickly cease to exist.

You are not a nuisance.

You are a fundamental part of the business.