Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Building a Strong Business Case for Security and Compliance
  • Cyber Attacks
  • Data Breach

Building a Strong Business Case for Security and Compliance

4 years ago Lisa Ventura
Building a Strong Business Case for Security and Compliance

Compliance is a key part of any organisation and in business terms, it is about ensuring companies of all sizes and their employees comply with existing national and international laws. In the UK the Companies Act 2006 is the main legislation that forms the primary source of company law and businesses of all sizes must ensure they adhere to it to remain compliant.

However, compliance only ever gets tighter with each passing year. Regulations come and go, and often businesses need to invest a considerable amount of revenue to remain compliant. Many businesses often overlook security when ensuring they are compliant, but if you start from a security perspective you will often automatically meet compliance needs and cover any tightening of regulations.

Today, cybersecurity is a huge issue in virtually all industries with the need for organisations to understand the threat landscape and consider how they can respond effectively to cyber-attacks by having a well-designed plan in place. With a data breach, it is not a matter of if it will happen, but when it will happen. The cost of a data breach – financially and reputationally – can be so large that it can no longer be ignored by organisations.

There are numerous cases of organisations being fully compliant, yet they still suffered a data breach. In 2021 LinkedIn suffered a breach that affected 700 million users, Facebook suffered a breach in 2019 that affected 533 million users and Yahoo! suffered a breach in 2013 that affected over 1 billion users. The problem is worsening, in 2021 39% of UK businesses identified a cyber-attack against them, and in 2022 the same number of UK businesses have identified a cyber-attack against them, and we are only four months into the year. Being compliant is therefore not enough.

Gary Hibberd,  Professor of Communicating Cyber, said in the whitepaper “Mind the Cyber Security Gap – Why Compliance Isn’t Enough”, that by focusing on the people around the Boardroom table and what they are trying to achieve, we can reframe what we do to support and help them. The Chief Financial Officer typically wants to save money, so show them how spending on Cybersecurity can be better targeted. The CEO will want to increase market value, so show them how good Cybersecurity can protect brand reputation. The Sales Director will want to increase sales, so show them how they can use Cybersecurity as a business differentiator and a competitive advantage.

Business leaders can no longer ignore the growing cyber threat and should have security on their agendas not only at board level but cascaded down through the organisation at all levels. But how do you think about your business case for security and gain buy in for cybersecurity projects?

Building a Strong Business Case for Security with Compliance in Mind

Every organisation should be investing in cybersecurity, with security officers developing a compelling business case. By starting from a security first perspective, compliance will often automatically be covered. Businesses should therefore consider the following when attempting to gain buy in from the Board for cybersecurity:

1. Run a Full Compliance Audit

You should conduct a full inspection of your present security posture and note any gaps or areas that require improvement. This should include looking at where any confidential or sensitive data is stored and who has access to it. Insider threats are common and many in security do not understand the risks of potential data breaches caused by malicious, or even careless, insiders. However, it is worth noting that not all data carries the same level when it comes to risk. This process will likely be time consuming, but it is a necessary one to get a full picture of what security measures already exist.

2. Expectations Should be set From the Beginning

Cybersecurity is not a service or product; it is prudent to show how protecting an organisation from losses is the only way for any financial benefit to be gained. Try to communicate to the board in numbers, for example, show that a £1 investment would stop a security event that could potentially cost £10 to the company. That way, it should be possible to get the board to vote on your side by demonstrating the business case and return on investment in security measures and protection.

3 Pick the Right Areas for Investment

In order for the board to determine their investment decision in security, you should give them data that focuses on any threat vectors that are already evident, such as inadequate services for security awareness and employee training, processes and policies that are not adequately applied and recorded or a lack of data backup practices and patching updates. Formulating a risk/reward equation using a tiered security approach is a good way forward, as you can then direct investments towards incident response and detecting compliance.

4. Present a Strong Business Case to the Board

Once you have created a robust and compelling business case for your organisation, you need to share the proposal with the board. When presenting your case to them consider any questions they may have, where their focus is and their general understanding of cyber security. Ensure you demonstrate the requisite collaterals and proof points to support any requests for budget – these decision-makers need to be able to make informed decisions not only for the security posture of an organisation, but for the organisation as a whole.

Final Thoughts

When submitting a strong business case for security buy in, it is important to align your plan with the risks, needs and compliance requirements of your organisation. Every organisation wants to be secure in the long term, but compliance requirements mean they often stay focussed on the short-term cycle. Organisations need to create a strong partnership between compliance and security if they want to protect their systems and data – an either/or situation won’t work.

To find out more, we spoke to several experts with insights into managing security and compliance programs to share their experience of the disconnect between cyber security and compliance. Find out more by downloading a copy of our whitepaper “Mind the Cyber Security Gap – Why Compliance Isn’t Enough” now.

The post ” Building a Strong Business Case for Security and Compliance” appeared first on TripWire

Source:TripWire – Lisa Ventura

Tags: Compliance, Facebook, Finance, Goverment, TripWire

Continue Reading

Previous Low-rent RAT Worries Researchers
Next Critical Gems Takeover Bug Reported in RubyGems Package Manager

More Stories

  • Data Breach
  • Vulnerabilities

OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability

13 hours ago [email protected] (The Hacker News)
  • Data Breach
  • Malware

DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

15 hours ago [email protected] (The Hacker News)
  • Cyber Attacks

⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More

17 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Iran-Linked Hackers Breach FBI Director’s Personal Email, Hit Stryker With Wiper Attack

3 days ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Vulnerabilities

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

3 days ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks

Apple Sends Lock Screen Alerts to Outdated iPhones Over Active Web-Based Exploits

4 days ago [email protected] (The Hacker News)

Recent Posts

  • OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability
  • DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials
  • ⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More
  • 3 SOC Process Fixes That Unlock Tier 1 Productivity
  • The State of Secrets Sprawl 2026: 9 Takeaways for CISOs

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT