Convincing top management for cybersecurity enhancement budgets poses a significant challenge for CIOs. CIOs, being inherently technical, often communicate in a practical manner. Top management’s primary focus is cost reduction.

However, budget requests that demonstrate tangible value, show cost savings, or align with their expertise are more likely to receive favorable responses. To overcome this hurdle, CIOs can utilize the concept of Return on Mitigation. By quantifying the financial benefits and cost savings derived from risk mitigation measures, CIOs can effectively communicate the value of cybersecurity enhancements.

This is where such enhancements mitigate the risks of incidents and breaches and help to avoid costs related to remedial measures, PR damage control, downtime, loss of productivity, revenue loss, and regulatory penalties.

The main factors to consider when developing a convincing Return on Mitigation are:

  • Assessing and quantifying potential impact (in costs) of cyber risks materializing. CIOs can also include industry trends to back up risk occurrence perspectives.
  • Costs related to implementing remedial measures.
  • Estimate the cost of proposed cybersecurity enhancements that reduce the risk of cyber risks occurring!
  • Comparison of projected costs of implementation with the anticipated financial benefits.

To gain input, the CIO should collaborate with key department heads to demonstrate that Return on Mitigation aligns with the organization’s business. These key departments could include:

  • Operations and Business to help with providing useful data on operational business impact.
  • Legal to identify legal implications, especially where regulatory fines exist.
  • Finance to provide the much-needed financial data and analysis.

Introducing the concept of Return on Mitigation enables CIOs to enhance their chances of unlocking budget. Surprisingly, companies often allocate budget only after a high impact event has occurred. However, it doesn’t have to be this way!

This article was originally published in Medium, at Emmanuel Mugabi's personal blog.