How to Get Buy-In for Cybersecurity Investments


There’s not a technology initiative under the sun that will be successful without buy-in. We’ve seen this first-hand over the three decades we’ve been in the IT service industry.

Something else we’ve seen more than a few times: No matter how frightening cybersecurity statistics get, your leadership doesn’t think anything bad will happen to them. They see no reason to budget for something they believe is a long shot. But you know better, so how can you make yourself heard?

Here are our tips.


Think through real-life scenarios.

Given the data you handle, the nature of your clients, your team’s security know-how, and your IT infrastructure, what could realistically happen?

  • Would a house guest seeing a confidential document on a remote attorney’s monitor be a breach?
  • Would an associate forgetting their laptop on the Metro cripple your business?
  • Do your new interns know what to look for in a suspicious email?


Quantify the impact.

If any of those scenarios actually occurred, what would it cost you?

  • Regulatory fines? In what amount?
  • Lost billable hours? What’s the math?
  • Recovery costs? Who’s doing this work and what are their rates?

There are plenty of reports on the cost of a data breach (like this one from IBM that notes an average $4.35 million price tag), but we find that a personalized calculation has a much greater impact.


Give them a story, not a statistic.

Walk your leadership through these very plausible, concrete hypotheticals. We’ve found that telling these stories often elicits a response of, “Oh, I had never even thought of that.” The more personal the narrative, the more likely they’ll hear you.


We hope these tips help in your efforts to bolster your organization’s security posture. If you’d rather outsource the responsibility of getting this kind of buy-in, our CIO Consultants would be happy to help. Learn more about those services here.

More Insights