top of page
  • Arno Livens

How to convince management to get a budget for a cybersecurity strategy in your organisation?

Updated: Mar 2, 2023

Anyone who has presented a cyber security strategy and requested additional funding or budget to implement this into any organisation will recognize that this is not a simple discussion to have with senior management for several reasons.

  • Lack of understanding: Senior management may not fully understand the importance of cybersecurity and the potential risks and consequences of the impact of a cyber attack on the organisation.This can make it difficult for them to justify the cost of implementing a cybersecurity strategy, such as purchasing certain cybersecurity products and services; such as (next-generation firewalls, email filtering, endpoint protection), or outsourcing this to a MSSP (Managed Security Services Provider), like Lockdown IT.

  • Cost considerations: Implementing an in-house cybersecurity strategy (with all the cybersecurity hardware, software, security team personnel) can be very expensive, especially for organizations that have limited financial resources. Senior management may be reluctant to allocate funds to cybersecurity when there are other pressing financial needs or priorities. That is why our easy to procure and consume; monthly pricing on our MDR (Managed Detection and Response) and Cyber SOC (Security Operations Center) services, make it a much more cost-effective option and easier to sell to senior management.

  • Lack of measurable ROI: Unlike other investments, such as marketing campaigns or product development, the return on investment (ROI) for cybersecurity is not always easy to measure. Senior management may be hesitant to allocate resources to something that does not have a clear and measurable ROI, this is especially difficult to explain to a numbers person, such as the CFO or another person in financial management.

  • Perception of low risk: Some senior management may perceive their organization as being too small or too low-risk to be a target of cyber attacks. This can lead to a false sense of security and make it difficult to justify the cost of implementing a cybersecurity strategy. From our teams experience, it's not a question of if a cyber attack will take place, its when will a cyber attack take place. We have seen this mistake being made by many organisations, and then when they get hit by a cyber attack or ransomware incident, they then reactively want to spend money to resolve this issue, which could potentially cost more to remediate the issue.

  • Lack of compliance requirements: Organizations that are not subject to industry or regulatory compliance requirements may not see the need to implement a cybersecurity strategy. Senior management may view cybersecurity as an optional expense rather than a necessity. Senior management may not have access to accurate and up-to-date information on cybersecurity risks and incidents within the organization. This lack of transparency can result in a false perception of low risk.

So how does a person in IT, get senior management or the board to understand why budget and funding needs to be allocated in implementing a cybersecurity strategy?

Establishing this budget is one of the most difficult problems a corporation has.

There are a number of measures that must be taken.

This includes identifying control gaps, grading and prioritizing risks, and reviewing the solutions for mitigating the priority risks, which, as previously indicated, is best accomplished with the assistance of subject matter experts.

Step 1: Identify the costs associated with the cybersecurity strategy.

The first step in calculating the ROI (Return on Investment) of a cybersecurity strategy is to identify the costs associated with implementing the strategy. This may include:

  • The cost of purchasing and implementing cybersecurity tools and technologies.

  • The cost of hiring cybersecurity personnel or outsourcing cybersecurity services.

  • The cost of training employees on cybersecurity best practices.

  • The cost of conducting cybersecurity audits and assessments.

  • Any other costs associated with implementing the cybersecurity strategy.

Step 2: Estimate the potential benefits of the cybersecurity strategy.

The next step is to estimate the potential benefits of the cybersecurity strategy. This may include:

  • The potential reduction in the frequency and severity of cyber attacks.

  • The potential reduction in the cost of recovering from a cyber attack.

  • The potential reduction in the cost of complying with industry or regulatory cybersecurity requirements.

  • The potential increase in customer confidence and trust.

  • Any other potential benefits associated with implementing the cybersecurity strategy.

Step 3: Calculate the net benefit of the cybersecurity strategy

Once the costs and potential benefits of the cybersecurity strategy have been identified, the next step is to calculate the net benefit of the strategy. This is done by subtracting the costs from the potential benefits.

Net Benefit = Potential Benefits - Costs

Step 4: Calculate the ROI of the cybersecurity strategy

The final step is to calculate the ROI of the cybersecurity strategy. This is done by dividing the net benefit by the cost of implementing the strategy and expressing the result as a percentage.

ROI = (Net Benefit / Cost) x 100%

For example, let's say an organization spends R500,000 to implement a cybersecurity strategy, and estimates that the strategy will reduce the cost of recovering from a cyber attack by R1,000,000.

The net benefit would be R500,000 (R1 000,000 - R500,000).

The ROI would be 100% ((R500,000 / R500,000) x 100%).

It's important to note that calculating the ROI of a cybersecurity strategy can be challenging, as there may be intangible benefits that are difficult to quantify, such as increased customer confidence and trust. Additionally, the ROI may vary depending on the organization's specific circumstances and the nature of the cyber threats they face.

26 views0 comments


bottom of page