Summary: Making the business case for security and rationalizing the allocation of resources for a security project can be difficult. To help security professionals with these efforts, CISA has published a product titled “The Business Case for Security,” which provides data and considerations for senior leaders as they set financial priorities.
Analyst Note: The guide emphasizes that the cost to recover from a security incident is often more expensive than implementing preventive measures. As the guide notes, “Though the cost of remediating a physical or cyber incident is quantifiable, recovering a company’s damaged infrastructure and reputation can be difficult to assess.” Developing a business case for security, therefore, adds value and drives the importance of physical and cybersecurity investments within an organization. Included in the steps for building a case for security are:
- Understanding the business’ security posture
- Identifying business assets that need to be protected
- Aligning security investments to business objectives
- Determining the right areas for investment
- Implementing a security plan and schedule
- Preparation
Original Source: https://www.cisa.gov/resources-tools/resources/business-case-security
Additional Reading:
- ISC Best Practices for Making a Business Case for Security
- Focus on Metrics: Measuring and Communicating Effectiveness
Related WaterISAC PIRs: 5 & 12
