We all know that many projects fail to deliver their objectives. According to one expert, projects usually fail due to poor project planning, a weak business case, and ineffective top management involvement and support.
Indeed, the business case plays an extremely critical role in influencing decision-makers, and many information security professionals will be compelled to produce one if they need budget approval for deeper information security investment.
Compiling a business case for information security investment should not be seen as a daunting task. Simply put, the business case really is a communication tool, which has been composed in a language that the intended audience will understand and that includes sufficient detail to enable the audience to make a decision. I recently published a blog about how the CISO should take practical steps to communicate more effectively with the board and to translate cyber risks into business terms.
A strong information security business case will ensure an organisation’s leadership makes well-informed decisions by clearly demonstrating how the intended project will help the company avoid risks or reduce costs.
One of the core elements of a strong business case is to explain the rationale behind the intended venture, which should be supported by statistics and facts. A good starting point for building the case is to use the latest statistics gathered from across a broad range of regions and industries.
PwC’s Global State of Information Security Survey 2015 highlights why companies should invest in safeguarding the organisation’s information assets: 23% of the 9,700 C-level respondents across all industries and regions detected 50 or more security incidents over the past 12 months.
Among the damaging consequences of security breaches listed were the following:
- 24% of respondents had experienced theft of processes or institutional knowledge
- 20% had internal documents or information damaged/lost
- 15% reported theft of strategic documents or sensitive financial information
- 14% had their brand compromised
- 8% faced lawsuits
- 28% of respondents said their losses amounted to more than $500,000
The next step is to compare how your organisation stacks up against industry standards when it comes to established information security measures and controls. If you are planning to implement an information security management system (ISMS), then a gap analysis of your current security controls against an international benchmark, such as ISO 27001, will be a good starting point.
Conducting a risk assessment of your existing information assets can reveal critical gaps in your current security posture that can support your business case. vsRisk™ is a software tool that helps you conduct a risk assessment simply and effectively, by providing the framework, database of threats and vulnerabilities (or risks), corresponding controls, and reports, making the risk assessment process easy and accurate. vsRisk is also compatible with a built-in documentation toolkit, which can be purchased separately, and which provides all the required policies, procedures and documents relevant for complying with ISO 27001. Reputable ISO 27001 consultancies should be able to assist their clients with developing a solid business case for implementing an ISMS compliant with the Standard. To select a reputable consultant, read my blog post about how to select an ISO 27001 consultancy.
You can view tutorials showing how vsRisk works here.