Justifying Security: How to Get Projects Funded

By | Feb 28, 2012

Security professionals and business professionals share something in common with medical professionals: They all agree that a small measure of prevention is preferable to a large measure of cure. But justifying security program improvements to executives can be a challenge. How can you get your senior executive to spend a small measure on items like DLP and breach and hacking prevention instead of spending large measures of time and money on security cures?

What is needed is an executive level story that blends fact, feeling, and consequence to get the senior level support and approval required. You need something called justification.

What Is Justification?

Justification is referred to by many names, including business justification, business case, impact analysis, and cost benefit analysis. Justification is the process of creating a fact- and finance-based story (it could be a document, report, or presentation) that conveys relevant facts to executive level decision makers that helps them understand a problem (not enough security) and agree to a recommendation (more security).

The high-level steps to developing a well-crafted justification are not difficult. Each organization might have its own unique process, but generally, there are common questions and concerns that are answered by a good justification:

  1. Why change: What is in place now, and what is the evidence that it is inadequate for us?
  2. Change what: What do you recommend and why? What else have you considered? And how much time and capital will it cost?
  3. What if: What are the risks and rewards of action, inaction, or some scaled-back action?
  4. What is the plan: Who will do it? How can we be assured it will succeed? How will we know it worked?

An organization's executive team has the challenge and responsibility to make high quality informed decisions that result in the business becoming better: stronger, smarter, more efficient, and more profitable. A well-constructed and well-reasoned justification will connect and relate how investing in something (spending more on security) will help the business better accomplish its goals.

Developing an effective justification requires being able to answer an important question, specifically, how strong is the case for change? That means you must have detailed answers to the questions above.

Additional considerations

The business case considers a large number of broad-ranging yet specific sets of information that help your executives to see and agree with your facts and recommendations. In addition to the four key questions above, there are several other matters to consider as you develop and construct your case for change, some of which include the following:

  1. Timing: Does this need to be done now? Make sure that you don't ask for approval for a project that would interfere with seasonally difficult times (examples may be the end of the year, or the end of the fiscal year). If your case is compelling, make sure the timing of it is as well.
  2. Risks: Make sure you have considered and addressed any reasons to avoid approving your project. Do you have a capable team? Is this a proven solution? Have there been previous project failures that make this project look more risky?
  3. Sensitivity testing: As you consider your reasoning for how your project will benefit the business and what it will cost, make sure that your assumptions are correct. Use sensitivity testing to understand the how strong your case is if the benefits are lower and costs are higher than expected.
  4. Other projects: Your executive and financial team will have other projects to consider in addition to yours. The costs and benefits, as well as the risks and timing of your project, will be not only compared and weighed against all other projects, but against the priorities of the business.

It is a helpful exercise to place yourself in the vantage point and perspective of your senior executives, who will dispassionately consider how to act upon your project. Ask yourself as they will ask themselves, "How well will this investment choice improve our business in comparison with the other available choices?" If you select a well-reasoned and well-timed project, provide a strong justification that considers other risk factors, even if your project is not initially approved, you will have positioned yourself well for approval in the future.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...