One of the keys to gaining continued cybersecurity support from senior management is presenting a convincing business case. A business case is a way to drive home the need for a comprehensive information security program. To do this, businesses should make convincing arguments on how more investment in cybersecurity measures will enhance business productivity and, more importantly, profit. The business case should stray from complex technical jargon and instead use terms and descriptions that are easily understandable to all roles. Specific pieces of technology should be presented in terms of how they will support key business objectives. For example, saying that a second web server is important because it eliminates a single point of failure likely means nothing to an older executive. However, telling them that clustering two web servers will ensure high availability for e-commerce and thus, better guarantee consistent profit, will sound appealing.
The business case should make heavy use of visualizations, such as illustrations and dashboards. Risk heat maps and matrices, scatter plots showing profit loss, and data flow diagrams are attractive contributions. Many times, cybersecurity is best sold by playing up the fear and urgency factors. Rather than describing complex attacks that sound like sci-fi plots, the business case should highlight real-life case studies. Highlighting cyber incidents that have recently occurred within the same sector can help senior management get a better grasp on how cyberattacks can affect their specific type of business. Cyber incidents that have occurred within the same city also help bring reality home. Threat reports and articles about major incidents often describe some of the misconfigurations that enabled the attack. This is valuable for the business case if the business is using the same technologies or configurations as the ones that resulted in a breach at another organization. The reported consequences of these case studies, including the costs to the organizations, will really hit home for senior management.
How successful the business case is plays a huge role in the amount of support and investment the information security program gets. Continued support for the program will depend on how well the consequences for security mismanagement resonate with the stakeholders. To keep it fresh in their minds and ensure continuing support, new business cases should be made regarding new security measures further down the line. In addition, the results from information risk assessments and reminders of the potential impact of threat events will help keep attention and support high.