Like home maintenance or car insurance, the value of IT security is hard to see until something goes wrong. The challenge is especially difficult for small and midsized companies, which have limited budgets and would rather spend on things with a more visible, hard ROI.Spending on information security is expected to reach $124 billion in 2019, up 8.7 percent from 2018, driven by high profile data breaches, increasing regulations and rising privacy concerns, according to Gartner. While they don’t necessarily generate headlines, the number of breaches at SMBs is up. A Ponemon Institute study reports that 67 percent of SMBs experienced cyberattacks and 58 percent experienced data breaches in 2018, up from 61 percent and 54 percent respectively in 2017 . In 2019, Verizon reported that small businesses were the victims in 43 percent of all breaches.
Here are seven ways to convince your management to loosen the purse strings:
1. Emphasize that strong security is table stakes for the best clients. More and more customers require their vendors to undergo security audits and prove compliance with security regulations and best practices. Having a strong, and verifiable, security posture gives your company a leg up on the competition and increase the chances that you’ll retain customers.
2. Don’t be alarmist. Come armed with data on the costs of a cyberattack or data breach, but avoid fear-mongering. Management has heard nothing but scare tactics for years. Look for real-life examples of what happened to companies similar to yours to show how a breach dampens (or stops) productivity, prompts customer flight, damages reputation and incurs costs.
3. Highlight the cost of non-compliance with regulations. Point out the increase in data privacy regulations at the international and state levels. Worldwide, data privacy is on the rise. The European Union’s General Data Protection Regulation (GDPR) is well known, but other countries already have or will soon implement similar laws. Brazil’s data protection law, for example, goes into effect in February 2020[T4] . In the United States, California’s Consumer Privacy Act goes into effect in January 2020, and other states are considering similar laws.
4. Show, don’t tell. Bring data that highlights where your company is the most vulnerable. Bring the results of your latest penetration testing, as well as any evidence you have of hacking attempts.
5. Speak in business terms. Be careful about using too much technical language. Focus on the business case. How does the lack of security impact the operation of the business? How could it reduce revenue and profit? If you can make a compelling case in business terms, you’re more likely to win the support of senior leadership.
6. Emphasize the costs to respond to a breach. In the Ponemon SMB survey, respondents spent an average of $1.43 million in the aftermath of a breach, a 33-percent increase from the previous year, because of damage or theft of IT assets. Disruption to operations cost an additional $1.56 million, a 25-percent increase. Some costs of a breach may be covered by cyber insurance, but getting a good policy requires having a solid security program and controls.
7. Prioritize your “ask.” Rather than risk overwhelming your boss, narrow requests down to fixing the most immediate, most important, vulnerabilities. Consider providing several options to give leaders a choice, which serves to invest them in successfully upgrading security.
Finally, be ready to explain how you will measure ROI. As noted above, returns on security spending are notoriously hard to quantify. Traditional ROI weighs investments against potential savings or revenue increases. In IT security spending, you’re weighing investments against the potential impact of NOT investing in security. But those impacts are becoming more real, and higher, each day, which makes it harder for executives to justify taking such risks with the business. By following the seven steps, you can show them just how real and dangerous these risks are.