A Gartner survey[1] found 72% of business executives are mapping cybersecurity investments to business outcomes. That’s a telling percentage—and a key insight into cyber value conversations. Technologists often pushback on a C-suite assumption: cybersecurity measures only expend capital, but they don’t add anything to a business’ output.
That’s an honest assumption on one condition: if IT only argues for cybersecurity measures without communicating supporting business value, why shouldn’t executives decide to deprioritize cybersecurity investments?
Instead, we recommend technologists frame the problem in business terms to executives. Learn to speak from your executive’s business-value perspective and present solutions solving their motivating pain points.
So how should IT teams justify cybersecurity spending at the business level?
1: Know your audience
Threat intelligence is an essential control to cybersecurity, but it’s more specific to detailed decision making than C-suite level approval. Instead of only leveraging headlines and CTI reports to justify budget investments to your executives, start with a business proposition.
Begin by suggesting a more cost-effective approach to threat mitigation than cyber insurance—a managed SOC—and then support by explaining how a SOC could help your IT team identify threats most probable to your business.
2: Articulate your audience’s concerns
Take time to articulate two security principles you might have taken for granted but your board doesn’t. Outdated infrastructure can be a security risk, and security consolidation reduces endpoint vulnerability while saving money. Acknowledgement of both points reminds your executives you are aware of the concerns important to them. Consulting partners like Ascent can advise how to secure a hybrid or legacy environment in the most efficient and secure way.
3: Answer your audiences’ pain points
At a broad level, most executives must avoid gaps in business continuity, proprietary information or data theft, damage to public image or reputation, and a higher Total Cost of Ownership (TCO) than operational capacity.
Communicate the value you place on your executives’ priorities by explaining how cybersecurity reduces or prepares the organization for a breach. Securing a food processing plant’s infrastructure and increasing identity security ensures the business’ supply chains operate without incident.
A marketing agencies’ reputation means email security may be a top priority to avoid a threat actor’s access to email lists and confidential client information.
Considering each situation for your organization with a broader, sensitive outlook could lead to more productive conversations.
4: Suggest a data-supported solution
Case studies aside, your executives likely value data-supported recommendations on how to expand or simplify cybersecurity budgets during a recession. We recommend firms modernize existing infrastructure, consolidate software platforms and applications, and optimize current, up-to-date solutions.
Approaching your environment with a past, current, and future view ensures your team isn’t impulse buying new technology without maximizing the infrastructure your team already maintains.
5: Present the outcome
Once you have organized your recommendations, make sure to highlight their value for your executives. Reflect the past state of your organization’s tech stack and briefly summarize what you have accomplished and where you hope to expand your strategy for the upcoming fiscal year. Presenting your executives with a short list of essential cybersecurity controls to allocate budget against, written or explained in their language, will make a difference in your organization’s path forward.
We’ve studied the data: cybersecurity isn’t just a cost vacuum. It’s an essential operational control for business goal achievement. Ascent provides free Security Outcomes Sprint discovery sessions, evaluating and prioritizing your cybersecurity portfolio. We work with you to communicate your proposed investment through jargon-free rationalization so you can walk away with an expert-informed path forward. Reach out to info@meetascent.com for more information.
[1] Resources cited: Heyman, Ayelet. “Tech CEO Insight: Convey Business Outcomes in Cybersecurity Value Propositions,” Gartner.com. August 10, 2022. ID G00771576.