This blog post on developing a security program budget is part of a multi-part series on designing an information security program in alignment with your most important business objectives.

CISO Role (Part 1) | Security Org Structure (Part 2) | Budgets (Part 3) | Business Cases (Part 4) | Build a Team (Part 5)

The security executive must be able to develop an effective business case that clearly articulates the business value of taking on security initiatives. The business case is a crucial tool in your executive arsenal because it is the bridge between technical jargon for the security professional and clarified business value for executive decision makers.

“Without compelling business cases to support them, security programs are doomed be undervalued by executives and subsequently fail. However, if you can nail the business case, you can consistently build a security program perfectly aligned to the business’s most important objectives.

What a Business Case is and What It’s Not

As they say, “great power comes with great responsibility”. So, before you create a business case that will help get projects approved, let us examine the intent and ethics of a great business case.

The Business Case IS:

  • A genuine evaluation of the opportunity’s business value. This includes the potential outcome that the initiative does not add enough value to justify the investment.
  • A validation that the security initiative is in alignment with business objectives and not just a solution to a non-existent problem.
  • A validation that the security initiative has quantifiable return on investment for the business.
  • An opportunity to clearly communicate a request to non-technical business leaders.
  • An opportunity to drive decision making in an efficient and decisive manner.

The Business Case IS NOT:

  • About politicking to get your way at the expense of the business. If your personal interests and the business’s interest are in conflict – choose the business every time. (You may be able to get away with this once or twice, but eventually it will ruin your credibility.)
  • About avoiding “Fear Uncertainty and Doubt (FUD)”. Appealing to the “cybersecurity boogeyman” should not be viewed as an option and will only convince the most uneducated and conservative members of leadership. Develop a legitimate business case that reveals undeniable business value and validates your project decision. If FUD is your only reason for moving forward on a project, you have to ask yourself: “Does this really add value to the organization?”

In short, be ethical and make decisions that are in the best interest of the organization. Be humble, and do not be afraid to disqualify your own project if it does not make sense for the business.

Six Essential Elements of an Effective Business Case

An effective business case comes in many shapes and sizes and will vary widely based on the intended audience. However, if you are appealing to executive decision makers here are six foundational principles that will take your business case to the next level.

We will use the request for an additional security resource as our example in the following steps. 

Step 1: Start with the Bottom-Line Up Front (BLUF)

Elizabeth Larson and Richard Larson authors of “Creating Bulletproof Business Cases” say it best: “Assume the Audience is Impatient”.

A safe assumption is that executive decision makers are busy and want to get to the point fast. As a result, you should start with a clear definition of the problem, a simplified and well-articulated request, as well as expected positive business outcomes. Put the “bottom line up front”.

Here are three key elements to a business case BLUF:

  • Executive Problem Statement: Why does this matter to the executive team and what is the potential negative consequence to the organization if it fails to act?
  • Clear Asks from Leadership: Clearly articulate your request from leadership. The request should include what you want and when you need it.
  • Expected Benefits: This is where you summarize your analysis into 3-5 positive business outcomes the organization can expect from an affirmative decision to act. Do not make any outlandish assertions and be sure any expected benefit is proven out in your cost/benefit analysis (Step 3)

Bottom Line Up Front

Step 2: Clearly Articulate “Why We Need This”

Often, executive decision makers do not have clear visibility into the current state or the benefits of an improved future state. Clearly defining the problem and the positive business outcome(s) as a result of the solution helps answer the “why” behind your recommendation.

  • Current Program Shortcomings: Current program shortcomings should clearly outline the current challenges faced by the business that are driving your request. Do not place blame, use inflammatory language, or exaggerate your claims. Be concise, direct, and try to quantify the problem.
  • Desired Future State: The desired future state should outline how your request will solve the current program shortcomings. While the “desired future state” should be concise, be prepared to produce evidence for all of your assertions in your cost benefit analysist (Step 3) or in a detailed appendix.

Why We Need This

Step 3: Build a Cost/Benefit Analysis That Leaves No Doubt

The cost/benefit analysis is an opportunity to validate your request and leave no doubt in the mind of executives. The cost/benefit analysis is all about validation, first to yourself, and second to the leadership team charged with approving the request. The cost/benefit analysis should be an intellectually honest review of the opportunity costs, the potential benefits, and financial impact of the decision.

As we discussed before: Be humble, and do not be afraid to disqualify your own project if it does not make sense for the business.

Here are the key elements of a cost/benefit analysis:

  • Cost Summary: Summarize the cost of the decision to the organization. Include items like monetary costs, effort and resources, and opportunity cost. Be earnest in your assessment of the cost to the organization. If the financial analysis is complex, include a summary up front and a detailed financial analysis as an appendix. Be sure to vet any financial analysis with other stakeholders in advance of presenting your business case (Step 5).
  • Benefit Summary: For most security-oriented projects, the benefits should be outlined in terms of cost savings (time and money), support of revenue generation, or better risk management posture. Ensure that the benefits solve the “executive problem statement” from part 1 as well as align to the “why we need this” assertions in part 2.
  • Return on Investment: Most decisions ultimately come down to return on investment. Clearly articulate the costs and the value of your request. The benefits should so clearly outweigh the costs that leadership has no problem signing off.

Tip: Some organizations may have a required rate of return (RRR) to move forward with a project. If your organization has a formal capital project request process or defined RRR, be sure to align your business case with the defined methodology. This level of formality is most common in large enterprise organizations and government entities.

Cost vs Benefit Analysis

Step 4: Include an Appendix with Additional Detail that Anticipates Questions

Your business case should include an appendix with further detail to support your business case and answer potential questions. An appendix helps declutter the body of your business case, while providing relevant details so leadership can make an informed decision that is best for the organization.

Here are three considerations when preparing your supporting detail:

  • Anticipate Questions: Try to anticipate the questions executives will likely have and answer them. One exercise I often perform is to write down a list of questions in plain English that I would ask if I were an outside party. Then, I have answers prepared for each question available in the appendix.
  • Site Sources and Research: Any details you provide should have supporting details and research (not just assertions or supporting anecdotes). Common resources may include detailed financial analysis, third-party reports, authoritative guidance or research, and quotes from other executives.
  • Provide Complete Information: Provide complete details of your analysis – even if it does not support your recommendation. For example, if your research reveals that certain challenges are likely to present themselves, it is important to provide the detail. Most big decisions have their downsides and it is okay to recognize that. Providing complete details helps prove your business case is authentic and complete, giving executives comfort and assurance that they can trust your analysis.

Tip: Here is a solid overview of preparing the details of a business case from the project management institute. This may be a useful guide in preparing a detailed business case appendix.

Assertion Validation

Step 5: Validate Assumptions and Socialize the Business Case Before Presentation to Leadership

While we are calling this “step 5”, assumption validation and socialization should really be integrated into every step of building a business case. As a security leader, your job is to build bridges, educate, and empathize with others. To support your mission, here are the two key elements of validation and socialization of decision making:

  • Sanity-Check Your Assumptions with Other Business Leaders: It is natural to walk into any decision with a set of assumptions and a hypothesis. As a leader, you have to follow your gut. However, it is vital to sanity-check your thinking and validate your hypothesis with other leaders in the business. This exercise will help to gain additional perspective, adjust your approach, and facilitate successful organizational change.
  • Build Advocates, No Surprises: The bottom line is to get things done in an organization; you cannot do anything in a silo. You need to “sell the brand” internally to help drive change. As a result, building a business case should include collaboration at every step in the process. Ask other leaders for advice, validate and challenge assumptions, understand the impact of your project on other teams. In fact, there should be so much collaboration that the formal presentation of your business case to leadership should be a mere formality – if done methodically, every leader should have already seen the material, blessed it, and are ready to approve it.

Step 6: Move Decision Making Forward When Momentum Stalls

A common outcome of a business case presentation is a non-decision. Business leaders may be hesitant or “need time to consider” a decision. This is where you risk losing momentum and weeks and months go by with no action. Other priorities arise and your big project is deprioritized to the grave.

Here are three tips to help avoid this fate:

  • Ask These Two Questions: If leadership is cautious to make a decision, try to understand their hesitation. Often, they need additional information or there are factors outside your visibility impacting the decision. Here are two questions to ask:
    • What additional details can I provide to help you make a decision?
    • Are there factors outside my visibility that need to be analyzed to make a decision?
  • Get a Commitment on Next Steps: I have been in many meetings where decision making stalls. The decision maker cannot or will not provide clear feedback and it becomes clear a decision will not be made during the meeting. In these cases, do not let ambiguity win the day. The best course of action is to ask for a clear next step. One of my favorite techniques is to recap action items and get a second meeting scheduled before the current meeting closes.
  • Follow Up Regularly: Decision makers are busy and often appreciate (respectful) follow-up reminders. Keep this important decision at the top of their mind and help them prioritize your decision without letting it fall to the wayside. While following-up is essential, also be cognizant of where your project falls in the grand scheme of things. If you get the feeling leadership is letting you down easy, try to take the hint and reassess next steps.

With these six steps, you will be able to clearly articulates the business value of taking on security initiatives.

The executives can cut through technical jargon and security buzzwords and understand the business value and return on investment by taking on the project.  You can cut through ambiguity and expedite decision making that move your initiatives forward.

If you can nail the business case, you can consistently build a security program perfectly aligned to the business’s most important objectives.

Let’s Talk About Developing and Keeping Top Security Talent

If you found have found parts 1 – 4 of this series valuable, stay tuned for part 5 where we discuss the must have skill of any leader: developing and keeping top talent. We will discuss how to avert the abysmal retention rate and build a team that top talent begs to be a part of.

 

The CISO Role (Part 1) | Security Org Structure (Part 2) | Budgets (Part 3) | Business Cases (Part 4)