The cybersecurity threat landscape isn’t getting any easier. From AI-driven cybercrime to phishing attacks and the prevalence of personal devices in the workplace, cybersecurity professionals have an increasingly long list of threats to manage.
Protecting corporate data is made harder by a dearth in funding. Yes, 91 percent of companies have increased cybersecurity budgets in 2021, according to IDG research. But IDG also found that new cybersecurity hiring is flat, and many long-range security projects have been sidelined this past year. Security professionals are having to do more with less.
Unless security professionals sell executives on greater cybersecurity investment, that is.
Organizations are waking up to the importance of proper cybersecurity, but getting additional funding for new security initiatives still is tricky. Defensive spending for the intangible benefit of enhanced security is always a hard sell, even in the age of digital transformation.
The chances of success are better with a good pitch, though. With that in mind, here’s how to craft a cybersecurity proposal that has the greatest chance of securing additional corporate funding.
Step 1: Research Your Audience and the State of the Business
Cybersecurity proposals are fundamentally about sales; additional security funding comes from selling a vision to senior executives. So just like the sales team, the first step in securing additional cybersecurity funding is the due diligence of learning the interests and focus of the decision-maker—in this case, senior management. Every good sales pitch is tailored to a specific audience.
This means not only having a good understanding of what senior management wants, but also what the business needs. What are the current pain points within the business overall, what new products, markets or special projects are taking place? Where could additional cybersecurity investment advance company priorities and assist with company goals?
Know your target.
Step 2: Map Security Risks to KPIs and Business Goals
Most businesses have a wide range of key risk indicators and other security metrics. These are useful for the security team, but they have less direct value to the executives who will greenlight additional cybersecurity funding. As a result, map security metrics to overall KPIs and business goals so the connection between security and business objectives is clear for your non-technical audience.
Look to map all security outcomes back to overall business outcomes to reinforce the business case for additional security investment. Pay particular attention to the connection between security metrics and new company initiatives, as well as areas that have been identified as particularly important to those in the C-suite.
Step 3: Conduct a Security Assessment and Prepare Your Plan
The plan itself is of course the foundational of your proposal, so once you have a solid grasp of the needs of your audience and how security metrics translate into business outcomes, assess the specific cyber risks and both the possible and recommended solutions for addressing those risks. Include specific technologies and budgets, but always tied to how these impact overall business goals.
Some components that might be of specific interest to executives include:
Risk management. How additional funding will specifically reduce company risk, and by how much.
Compliance management. How the proposal will strengthen compliance mandates and minimize the chance of regulatory violation around privacy and data security.
Accountability by role. Who is responsible for each part of the security proposal in terms of both implementation and ongoing support.
Costs. The specific costs for each part of the plan, why they are necessary, and how they impact the intended business outcomes.
Step 4: Develop an Elevator Pitch and Overall Narrative
Almost as important as plan specifics is an easy-to-understand narrative that easily communicates the overall vision of the cybersecurity proposal. This narrative should be simple, easy to understand, relatively non-technical, and align with overall business goals. The plan contains the specifics, but the narrative is the simple idea that executives will remember and largely use to judge the relevancy of the proposal.
Part of building this narrative is crafting an elevator pitch, a simple summary of the plan in a few short sentences. This elevator pitch serves as a short version of the overall plan, a clarifying agent for keeping the proposal focused, and a concise pitch that can be given verbally to prepare executives for the written proposal if the right opportunity presents itself.
Step 5: Gather Stats and Create Visuals
The story of why greater cybersecurity investment is needed must be simple, easy to grasp, and facts-based. Statistics and metrics that tell the story and show both the problem and the solution are critical for getting additional investment, so look for data that backs up every part of the plan.
Turn particularly key data into simple graphs and visual representations that further paint the obviousness of the proposed security investment. In preparing these visuals, challenge yourself to see if the graphs and visuals can communicate the essence of the proposal even without the written portion.
Step 6: Prepare a List of Objections to Overcome
Most likely there will be some pushback to the proposal, even if the objections are just testing the soundness of the plan. No good salesman goes into a presentation without a clear sense of the objections that might be raised and how these objections will be addressed. So once the proposal is complete, go over it several times with an eye toward the issues and questions that could come up during the presentation.
Give substantial time to this part of the preparation because it could be the difference between success and failure. Have several colleagues review the proposal prior to presentation with an eye toward possible objections, both readers who deeply understand cybersecurity and those who are more general in their understanding.
Some common objections include:
> We don’t have the budget for this.
> Haven’t we already invested in this?
> Isn’t our current technology adequate?
> This isn’t a pressing need and there is a better use of resources.
> We’re focused on growth right now, so what’s the ROI?
> Are there less expensive or “good enough” solutions to this problem?
> I don’t understand the need for this.
> This doesn’t sound like it will work.
No cybersecurity investment proposal is truly fool-proof, just like no security solution is 100 percent effective. That said, these six steps for crafting a cybersecurity investment proposal will definitely raise your odds of success.
For more on how to sell the C-suite on greater cybersecurity, read our post, Six objections to greater cybersecurity investment—and how to overcome them.