What’s the Real Deal with Business Cases for Security?

Let’s be real: writing a business case for security, fraud, or IP protection can feel like trying to convince your dog to do your taxes—it’s tough and often gets ignored. Unlike departments that directly generate revenue, these functions are often viewed as “cost centers.” But the truth is, they’re vital for preventing catastrophic losses. Think about it: how much would a major data breach, insider threat, or IP theft cost your company? Exactly. That’s where your business case comes in.

If you want executives to take your proposal seriously (and fund it), you need more than just a list of security threats or the need for more budget. You need to speak their language. Executives want to know how your proposal will reduce risk, drive growth, and improve profitability. If your business case doesn’t hit those marks, expect a polite nod and zero budget. So how do you get the green light? You need to answer these seven crucial questions in your security business case.

7 Key questions executives care about – linking security to strategic outcomes

The challenge is proving that security isn’t just about checking boxes or avoiding fines—it’s about tangible business outcomes: protecting revenue, improving customer trust, and enabling expansion into new markets. If you can’t connect security investments to these results, your proposal won’t make it past the trash can. So, let’s dive into the key questions executives are really asking when reviewing your case.

Question 1: What’s the Impact?

Executives want to know how your security investment will improve business resilience, customer trust, or revenue. Security isn’t just about defending against threats; it’s about keeping the lights on, ensuring smooth operations, and even opening new markets. Can your proposal do that? If not, it’s not going to get approved.

Useful strategy metrics for security business cases include:

• Brand Equity (measured through surveys)
• Customer Lifetime Value (CLV)
• Net Promoter Score (NPS)
• Revenue impact from security investments
• Customer Trust Index (measured through surveys)
• Employee Engagement Score

Question 2: Will This Stop Downtime (and Make Us Look Good)?

Downtime is the nightmare that keeps executives up at night. Every minute of downtime can cost your company thousands of dollars. Worse, it leads to frustrated customers and a PR disaster. You need to show how your security initiative prevents downtime, ensures business continuity, and (let’s be honest) makes the execs look like rockstars.

Useful strategy metrics for security business cases include:

• Cost of Downtime
• Recovery Time Objective (RTO)
• Recovery Point Objective (RPO)
• System Uptime Percentage
• Mean Time Between Failures (MTBF)
• Mean Time to Resolve (MTTR)
• Customer Satisfaction Scores

Question 3: Can This Help Us Expand Into New Markets?

Want to expand into new geographies or high-compliance industries? Security plays a key role here. New markets require solid compliance and security frameworks. Prove that your security investment is the gateway to growth, not just a cost center.

Useful strategy metrics for security business cases include:

• Market Penetration Rate
• Revenue from New Markets
• Market Share in New Segments
• Compliance Rate with Market-Specific Regulations
• Profit Margin in New Markets

Question 4: Does This Make Us Better Than Competitors?

In today’s world, security is a competitive differentiator. Customers stick with companies they trust to protect their data. Your company’s security posture could be the reason a customer chooses you over the competition. Show how your security proposal will improve customer retention and acquisition rates.

Useful strategy metrics for security business cases include:

• Customer Retention Rate (churn)
• Customer Acquisition Cost (CAC)
• Security Breach Incident Rate (compared to industry average)
• Brand Trust Index (measured through surveys)
• Competitive Benchmarking Scores

Question 5: Are We Saving Money or Just Spending It?

Let’s face it—compliance fines can be crippling. A solid fraud detection, Trade Secrets or IP protection system can save your company millions. Demonstrate how your security investment prevents financial losses, whether from regulatory fines, operational downtime, or reputational damage.

Useful strategy metrics for security business cases include:

• Return on Security Investment (ROSI)
• Total Cost of Ownership (TCO) for Security Solutions
• Operational Cost Savings
• Compliance Fine Avoidance (measured in cost savings)
• Automation Efficiency Gains

Question 6: How Much Risk Does This Actually Remove?

No one can eliminate risk entirely, but you can reduce it. How much are you saving by investing in security today to avoid a breach tomorrow? Help your execs understand the cost-benefit—are you spending $100K today to avoid a $5M loss in the future? Make the numbers clear.

Useful strategy metrics for security business cases include:

• Risk Mitigation Rate
• Expected Loss Reduction
• Risk Score Improvement
• Vulnerability Management Efficiency
• Reduction in Security Incidents

Question 7: What’s the Brand Damage if We Don’t?

Nobody wants to be the next big breach in the headlines. Think Target, Equifax, or Sony. Show how your proposal protects the company’s reputation and brand equity, which can take years to build and mere seconds to destroy.

Useful strategy metrics for security business cases include:

• Brand Valuation
• Media Sentiment Analysis Score
• Social Media Engagement Rates
• Employee Net Promoter Score (eNPS)
• Employee Turnover Rate

Writing Business Cases for Non-Revenue Generating Functions: The Struggle Is Real

It’s not easy to sell risk and compliance functions because they don’t directly generate revenue. But that doesn’t mean they don’t provide value. Here’s how to make your case:

• Focus on Cost Avoidance and Risk Mitigation: A solid security program prevents disasters before they happen. Consider the massive fine HSBC faced for anti-money laundering violations: $1.9 billion. Your security measures are the front lines against such catastrophic fines and reputational damage. Use metrics like Annualised Loss Expectancy (ALE) to show how much risk you’re removing.
• Emphasise Indirect Revenue Enablement: Compliance and security aren’t just about avoiding risks—they also enable growth. A strong security posture can open doors to new markets, especially if you’re meeting the right regulatory standards. By investing in security, you can unlock new opportunities for revenue without worrying about fines or legal issues.
• Link Security to Strategic Goals: Non-revenue functions like risk management enable other revenue-generating activities. Think about how security protects supply chains, ensures smooth operations, and allows for market expansion. Security supports business continuity, which directly impacts the company’s ability to generate revenue.
• Qualitative Benefits Matter Too: Not all benefits can be measured in dollars, but that doesn’t mean they’re less important. Enhanced trust, better customer relationships, and a positive corporate culture all contribute to the company’s long-term success.

Developing an compliance obligation register for your business

The Bottom Line: Get Your Security Business Case Right

Security business cases should focus on outcomes, not just activities. Link your proposals to business strategy and demonstrate how security helps reduce risk, save money, and enable growth. Link your business case to your strategy by addressing the seven questions executives care about and you’ll put yourself in a strong position to secure the budget you need.

What’s Your Next Step?

Take a fresh look at your security business case. Does it speak to business outcomes? Does it quantify risk reduction and highlight opportunities for growth? If not, it’s time to rewrite it. Trust me, your executives will thank you.

Further Reading

• https://cpdonline.co.uk/knowledge-base/business/companies-excelling-risk-management/
• https://mythosgroupinc.com/the-unsung-heroes-how-non-revenue-generating-roles-support-revenue-generating-roles/
• https://www.enhesa.com/resources/article/how-to-build-a-business-case-for-compliance/
• https://www.onemodel.co/blog/non-revenue-employees-value
• Clifford Chance – the case for an effective compliance program
• CISA – making a business case for security
• https://www.isa.org/intech-home/2016/november-december/features/building-a-business-case-operational-technology
• https://www.aon.com/en/insights/articles/managing-cyber-risk-through-return-on-security-investment

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.