How do I build a business case for IT security spending?

You know your company needs better security. Maybe you’ve seen the headlines about ransomware attacks. Maybe your cyber insurance provider sent a list of requirements. Maybe you just have a gut feeling that your current defenses aren’t enough.

But getting leadership to approve the budget is a different challenge entirely. “We’ve never been hacked” is one of the most common - and most dangerous - objections you’ll face. The absence of a breach doesn’t mean you’re secure. It means you’ve been lucky. And luck isn’t a strategy.

Here’s how to build a business case that speaks the language of leadership: risk, money, and competitive advantage.

Why Leadership Pushes Back on Security Spending

Before you build your case, understand why the answer is often “no” or “not now.”

It Feels Like Insurance You’ll Never Use

Security spending doesn’t produce visible output. There’s no new product, no new revenue stream, no shiny dashboard to show the board. When security works, nothing happens. That makes it incredibly hard to justify compared to investments that produce tangible results.

The “We’ve Never Been Hacked” Fallacy

Past performance doesn’t predict future risk. The threat landscape changes constantly. The fact that you haven’t been breached might mean your defenses are adequate - or it might mean attackers haven’t targeted you yet. With 43% of cyberattacks now targeting small businesses, the odds are shifting.

Competing Priorities

Every dollar spent on security is a dollar not spent on sales, product development, or hiring. Leadership is weighing security against investments that feel more directly tied to growth.

Technical Complexity Creates Skepticism

When the security conversation is full of acronyms (EDR, SIEM, MFA, ZTA) and worst-case scenarios, non-technical leaders disengage. If they don’t understand what you’re asking for, they’re unlikely to fund it.

Calculating the Risk: Real Numbers

The foundation of any business case is quantified risk. Leadership responds to numbers, not fear. Here’s how to calculate yours.

The Cost of a Breach

Industry data gives us concrete figures for small and mid-sized businesses:

Impact Area	Average Cost
Incident response and forensics	$10,000-$100,000
Data recovery and system restoration	$15,000-$150,000
Business downtime (average 21 days for ransomware)	$50,000-$500,000
Legal and regulatory fines	$10,000-$250,000
Customer notification and credit monitoring	$5,000-$50,000
Reputation damage and customer loss	$20,000-$200,000+
Total estimated breach cost (SMB)	$120,000-$1,240,000

Example

A 50-person professional services firm gets hit with ransomware. Operations are down for 12 business days. The ransom demand is $150,000, but even without paying it, costs include:

• Emergency IT response: $35,000
• System rebuilding and data recovery: $45,000
• Lost revenue during downtime (12 days): $180,000
• Legal counsel and notifications: $25,000
• Increased insurance premiums: $15,000/year ongoing
• Customer attrition (estimated): $50,000 in first year
• Total: approximately $350,000

Compare that to the $40,000-$80,000 per year that comprehensive security for a 50-person company typically costs.

Calculating Your Specific Risk

Use this simple framework to estimate your risk exposure:

Annual Loss Expectancy (ALE) = Probability of Breach x Cost of Breach

Factor	How to Estimate
Probability of breach	Industry averages: 43% of attacks target SMBs; roughly 1 in 5 SMBs experience a cyber event annually
Cost of breach	Use the table above, adjusted for your revenue and industry
Annual Loss Expectancy	Probability x Cost

Example

• Estimated breach probability: 20% (1 in 5 chance per year)
• Estimated breach cost: $300,000
• Annual Loss Expectancy: 0.20 x $300,000 = $60,000/year

If your proposed security investment is $50,000/year and it reduces breach probability by 80%, the math is straightforward:

• New breach probability: 4% (0.20 x 0.20)
• New ALE: 0.04 x $300,000 = $12,000/year
• Risk reduction: $60,000 - $12,000 = $48,000/year in avoided expected loss
• Investment: $50,000/year
• Net ROI: $48,000 in risk reduction for $50,000 in investment - essentially break-even before accounting for other benefits

And that doesn’t include the additional benefits below.

The ROI Framework: Beyond Risk Avoidance

Risk reduction is the core argument, but it’s not the only one. A comprehensive business case includes multiple ROI drivers.

1. Cyber Insurance Premium Reduction

Insurers are dramatically tightening requirements and pricing. Companies with strong security postures receive significantly better rates.

Security Measure	Typical Premium Impact
MFA implemented on all accounts	10-15% reduction
EDR deployed across all endpoints	5-10% reduction
Security awareness training program	5-10% reduction
Incident response plan (documented, tested)	5-10% reduction
Regular vulnerability scanning	3-5% reduction

For a company paying $15,000-$30,000/year in cyber insurance premiums, these reductions add up to $4,000-$15,000/year in savings.

Key point

Some insurers now require specific security controls as conditions of coverage. Without them, you may not qualify for insurance at all - or only at significantly higher premiums with lower coverage limits.

2. Compliance Penalties Avoided

If your industry has regulatory requirements, non-compliance carries real financial consequences:

Regulation	Penalty Range
HIPAA	$100 - $1.5 million per violation category, per year
PCI DSS	$5,000 - $100,000 per month until compliant
SOX	Up to $5 million in fines and 20 years imprisonment
State privacy laws (CCPA, etc.)	$2,500 - $7,500 per violation
CMMC	Loss of government contracts

Even if you avoid the maximum penalties, audit findings and remediation costs are significant. Proactive security spending prevents reactive compliance costs.

3. Downtime Prevention

Quantify what downtime actually costs your business:

Hourly Downtime Cost = (Annual Revenue / Business Hours per Year) + Productivity Loss

Company Revenue	Estimated Hourly Downtime Cost
$2 million	$500-$1,000/hour
$5 million	$1,200-$2,500/hour
$10 million	$2,500-$5,000/hour
$25 million	$6,000-$12,500/hour

The average ransomware incident causes 21 days of disruption. Even partial downtime over that period is catastrophic.

4. Competitive Advantage

Security is increasingly a differentiator in winning business:

• Enterprise clients require security assessments before onboarding vendors
• RFPs include security questionnaire sections that weak postures fail
• SOC 2 certification opens doors to clients who require it from vendors
• Government contracts mandate specific security standards (CMMC)

If security deficiencies are costing you deals - or preventing you from bidding on them at all - that’s directly measurable lost revenue.

5. Productivity and Employee Satisfaction

Poor security often means poor technology:

• Overly restrictive policies that slow people down (because targeted controls haven’t been implemented)
• Frequent incidents that disrupt work
• Manual processes that modern security tools would automate
• Employee frustration leading to turnover

Presenting to Non-Technical Stakeholders

The most well-researched business case fails if it’s presented wrong. Here’s how to communicate with leadership effectively.

Speak Their Language

Instead of…	Say…
”We need EDR on all endpoints"	"We need to protect every company laptop and desktop from ransomware"
"Our SIEM needs upgrading"	"We need better visibility into who’s accessing our systems and data"
"We should implement zero trust architecture"	"We need to verify every access request instead of trusting anyone inside our network"
"Threat actors are using advanced persistent threats"	"Attackers are targeting businesses like ours and staying hidden in networks for months"
"We need to reduce our attack surface"	"We need to close the doors we’re leaving open for hackers”

Structure Your Presentation

1. Start with the business risk (2 minutes)

• What could happen: breach scenario specific to your industry
• What it would cost: use the numbers from your risk calculation
• How likely it is: cite the industry statistics

2. Show the current gaps (3 minutes)

• What defenses you have today
• Where the specific gaps are (use plain language)
• What an attacker could exploit

3. Present the solution (5 minutes)

• What you’re recommending (in business terms)
• What it costs (annual and monthly)
• What risk it reduces (back to the numbers)

4. Show the ROI (3 minutes)

• Risk reduction value
• Insurance savings
• Compliance cost avoidance
• Competitive advantage

5. Propose a phased approach (2 minutes)

• Phase 1: essentials (immediate)
• Phase 2: improvements (6 months)
• Phase 3: optimization (12 months)

Use Comparisons That Resonate

• “We spend $X on physical security for our building. Our digital assets are worth far more and have far less protection.”
• “We carry fire insurance even though we’ve never had a fire. Cybersecurity is the same principle for digital threats.”
• “Our largest client requires these security measures. Without them, we risk losing a $X relationship.”

A Phased Approach to Security Spending

Leadership is more likely to approve a phased plan than a single large request. Break your recommendations into priority tiers.

Phase 1: Foundation (Month 1-3) - Highest ROI

These are non-negotiable and deliver the greatest risk reduction per dollar.

Investment	Approximate Cost	Risk Reduction
MFA on all accounts	Free - $3/user/month	Blocks 99.9% of credential attacks
EDR (replacing traditional antivirus)	$5-$15/user/month	Catches 60%+ more threats
Email security enhancement	$3-$8/user/month	Reduces phishing success by 90%+
Security awareness training	$2-$5/user/month	Reduces human error by 70%
Total for 50 users	$500-$1,550/month	Addresses top 4 attack vectors

Phase 2: Strengthening (Month 4-9)

Build on the foundation with deeper protection.

Investment	Approximate Cost	Benefit
Managed detection and response (MDR)	$15-$50/user/month	24/7 monitoring and response
Vulnerability management	$2-$5/user/month	Proactive gap identification
Backup enhancement	$200-$1,000/month	Ransomware recovery capability
Incident response plan	$5,000-$15,000 (one-time)	Faster, more effective breach response

Phase 3: Maturity (Month 10-18)

Advance your security posture for competitive advantage and compliance.

Investment	Approximate Cost	Benefit
Compliance framework (SOC 2, HIPAA, etc.)	$15,000-$50,000 (one-time)	Opens new business opportunities
Penetration testing	$5,000-$20,000 (annual)	Validates your defenses
DLP and data classification	$3-$8/user/month	Prevents data leakage
Security policy formalization	$5,000-$10,000 (one-time)	Documentation for audits and clients

Why this works

Phased spending is easier to approve because it starts small, demonstrates results, and builds the case for continued investment. After Phase 1, you have data showing reduced incidents and lower risk to justify Phase 2.

Common Objections and How to Respond

”We’ve never been hacked.”

Response: “That we know of. The average time to detect a breach is 194 days. We may have been compromised without realizing it. But even if we haven’t, 43% of cyberattacks target small businesses, and the average cost is over $120,000. Our current defenses have gaps that make us vulnerable."

"Can’t we just get cyber insurance?”

Response: “Cyber insurance is important, but it’s not a substitute for security. Insurers now require specific security controls as conditions of coverage. Without MFA, EDR, and training, we may not qualify - or we’ll pay significantly higher premiums. Insurance also doesn’t cover reputation damage, lost productivity during recovery, or the time and stress of managing a breach."

"It’s too expensive.”

Response: “The proposed Phase 1 investment is $X per month. The average SMB breach costs $120,000-$1.24 million. We’re spending the equivalent of [comparison] to protect against losses that could be [multiple]x larger. We can also show projected insurance premium reductions of $X that offset part of the cost."

"We’re too small to be a target.”

Response: “43% of cyberattacks target businesses with fewer than 250 employees. Small businesses are actually preferred targets because they typically have weaker defenses and less capacity to detect attacks. Automated attack tools don’t discriminate by company size - they scan the entire internet for vulnerabilities."

"Can’t IT just handle this?”

Response: “Our IT team manages day-to-day operations and support. Cybersecurity is a specialized discipline that requires dedicated tools and expertise. Asking IT to also be the security team is like asking your general practitioner to perform surgery. We need specialized tools and, ideally, specialized monitoring."

"Let’s revisit this next quarter.”

Response: “Every quarter we delay is a quarter of unmitigated risk. Our cyber insurance renewal is in [month], and without these controls in place, we’re looking at a premium increase of $X or potential coverage denial. The threat landscape doesn’t wait for budget cycles.”

Putting It All Together: Your One-Page Business Case

Here’s a template for the executive summary that accompanies your full proposal.

Security Investment Proposal - Executive Summary

Current Risk Exposure: Based on industry data and our specific vulnerabilities, our estimated Annual Loss Expectancy from a cyber incident is $[X].

Proposed Investment: $[X]/month ($[X]/year), implemented in three phases over 18 months.

Expected Outcomes:

• Reduce breach probability by approximately 80%
• Meet cyber insurance requirements (estimated premium savings: $[X]/year)
• Achieve compliance with [relevant framework] requirements
• Protect ability to win and retain [type of client] contracts

ROI Summary:

• Annual security investment: $[X]
• Annual risk reduction value: $[X]
• Insurance savings: $[X]/year
• Compliance penalty avoidance: $[X]
• Net benefit: $[X]/year

Recommendation: Approve Phase 1 ($[X]/month) immediately. Evaluate results at 90 days before proceeding to Phase 2.

The Bottom Line

Building a business case for security spending isn’t about scaring leadership into action. It’s about translating real risk into financial terms they can evaluate alongside every other business investment.

The companies that invest proactively in security don’t just avoid breaches. They qualify for better insurance rates, win contracts that require security maturity, meet compliance requirements without scrambling, and sleep better at night.

Start with the numbers. Frame the conversation around business risk, not technical details. Propose a phased approach that starts with the highest-ROI investments. And remember: the question isn’t whether your business can afford security. It’s whether your business can afford the consequences of skipping it.

---

Need help building a business case for security at your company? Contact us for a risk assessment that gives you the data and framework to present to leadership with confidence.