Skip to main content

Building a Cybersecurity business case? Three Questions You Need to Ask

Have you heard of the term Hindsight Bias?

It’s also known as the “I knew it all along” effect. If you had spoken to even one of the 20000 Air Canada customers after the data breach, you would’ve heard them say – ‘I always knew something like this could happen with my data!’

Behind closed doors at a corporate meeting, a series of could’ve-would’ve-should’ve discussions that lead to nowhere.

If you think it’s time to save your client from the Hindsight Bias when it comes to Cyber Security, you need to partner with them in building a business case for Cybersecurity before they face their worst cybersecurity nightmare.

Here are 3 critical questions every Cybersecurity champion needs an answer for, from their Management:

  1. What is your protection time / exposure time ratio?

You can arrive at your protection time by answering 3 questions:

  1. What do I need to protect? The answer could be confidential information, IT services for business continuity during an attack
  2. How can I protect it? The answer could be security policies, controls, training people, setting up processes
  3. What is the downtime in the event of an attack? Or for what kinds of threats? Here you could define the types of attacks you’re protected from

You can arrive at your exposure time by answering one question – How much time will we take to detect, respond and recover from a cyber-attack.

Ideally, the ratio needs to be in favor of the protection time. But it’s not always the case. This is where you step in as a Cybersecurity champion to talk about why protection time needs to be longer than exposure time if the decision is to be proactive. It may not always be a function of budget

  1. What is your security control threshold?

This one is easy – responding to security controls trigger our deepest need to resist change and control. Don’t we all know someone who resists security control? Here’s an opportunity to assess whether security controls are perceived as a time consuming operational inconvenience or as mission critical by the company.

  1. How are you going to manage exposure time?

Your worst cyber security nightmare has come true. You thought that firewall was a cover-all solution, but you were wrong. The attackers were smarter – who are you going to call and what are you going to do.

Asking these questions will help your client differentiate between IT operations and IT security. IT security may not even exist in your client’s organization.

The fourth (bonus) question!

Are you keen on building a Cybersecurity practice to help serve your clients better? Add a service advantage to your product recommendations by partnering with Ingram Micro Professional Services team. From Penetration test assessments to 360 Cyber Security solutions, our white-labelled services, got you covered. Contact –