Claude Sonnet 4.6
6162bb474f
Remove 'Cloud AI vendor price shock' (not a security risk; unverifiable number) and 'Competitive intelligence loss from AI training' (inaccurate claim that contradicts corrections made throughout the framework). Replace with: - Incident response and forensics (EUR 150-500K, real range) - Business interruption during recovery (client-specific daily revenue) All five rows now map directly to risks the programme addresses and are quantifiable in a CFO conversation. Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
14 KiB
14 KiB
Business Case Template
"The board does not buy security. The board buys risk reduction, regulatory survival, and competitive advantage. Price it accordingly."
This template provides a reusable structure for building financial justification for antifragile engagements. It is designed to be adapted per client, per vertical, and per regulatory context. The output should be a 4-6 page document that a CFO can evaluate in 15 minutes.
Document Structure
Page 1: Executive Summary
Subtitle: Investment Proposal: Antifragile Enterprise Program
| Element | Content |
|---|---|
| Investment ask | €[X] over 180 days, phase-gated with go/no-go decisions at days 60, 120, 180 |
| Primary return | Reduction of existential cyber risk; regulatory compliance evidence; operational resilience demonstrable to auditors and insurers |
| Break-even | 12–18 months post-programme: insurance premium reductions take one renewal cycle; regulatory evidence value accumulates from day 1; incident avoidance value is probabilistic but compounding |
| Risk of inaction | Quantified below; summary: [X]% probability of material incident within 24 months at estimated cost of €[Y] |
Page 2: Cost of Inaction
Frame: The most expensive decision is the one not to act.
Direct Costs (Quantifiable)
| Risk Category | Probability (Client-Specific) | Average Industry Cost | Expected Value |
|---|---|---|---|
| Ransomware incident (recovery + downtime) | [X]% | €4.5M average (IBM 2024) | €[X * 4.5M] |
| Regulatory fine (DORA / NIS2 / national) | [X]% | Up to 2% global turnover (NIS2); up to 1% daily (DORA) | €[X * % GT] |
| Data breach notification and remediation | [X]% | €3.8M average (IBM Cost of Data Breach 2024) | €[X * 3.8M] |
| Incident response and forensics | [X]% | €150K–500K (external IR firm + legal + crisis comms, independent of breach cost) | €[X * 325K] |
| Business interruption during recovery | [X]% | €[daily revenue] × [estimated downtime days] — client-specific | €[X * daily] |
Calculation:
Expected Loss = Σ (Probability_i × Cost_i)
Present this as: "Without intervention, the organization faces an expected loss of €[X] over 24 months. The proposed program costs €[Y], representing a [Z]:1 return on risk reduction."
Indirect Costs (Narrative)
- Reputational damage: Customer churn, difficulty acquiring new business, talent attrition
- Operational paralysis: During an incident, leadership attention is diverted from growth to survival
- Insurance premium increases: Cyber insurers are tightening terms; resilience demonstrably reduces premiums
- Regulatory scrutiny: A single incident triggers multi-year regulatory attention and reporting obligations
Page 3: Investment Structure
Frame: We spend your money as if it were our own. Configuration first. Purchase only if justified.
Phase-Gated Budget
| Phase | Timeline | Primary Activity | Estimated Cost | Go/No-Go Gate |
|---|---|---|---|---|
| 1. Visibility | Days 0–60 | Kill chain mapping; T0 identity hardening; ASTRAL/PULSAR deployment; T0 backup verified | €[X] (primarily labor) | Day 60: Kill chain documented and T0 hardening complete |
| 2. Control | Days 60–120 | MFA for all users; CA baseline; attack surface reduction; vendor hardening | €[X] (labor + minimal tooling) | Day 120: MFA enforced 100%; P0/P1 vulnerabilities closed |
| 3. Signal | Days 120–180 | Detection rules; alert runbooks; knowledge transfer; housekeeping stream operational | €[X] (labor) | Day 180: Client operates independently; housekeeping running |
| 4. Retained capability | Ongoing | Quarterly retained scope; detection engineering; housekeeping; structural improvements | €[X]/quarter | Ongoing: measurable queue reduction; annual BloodHound/Elysium |
| Total (180-day programme) | 180 days | €[X] |
Cost Categories
| Category | Typical % of Budget | Description |
|---|---|---|
| Consulting / Labor | 60-70% | Configuration, process design, training, documentation |
| Existing Tool Activation | 0% | Included in current licensing; no new purchase |
| Local AI Infrastructure | 10-20% | Hardware or sovereign cloud for inference (only if pilot justifies) |
| External Testing | 10-15% | Red team, penetration testing, regulatory validation |
| Training / Change Management | 5-10% | Security awareness, champion programs, board briefings |
Compare to Alternatives
| Alternative Approach | Cost | Timeline | Risk |
|---|---|---|---|
| Do nothing | €0 | — | Expected loss €[X] over 24 months; growing regulatory exposure |
| Traditional security audit | €[X] | 90 days | Produces report; no structural change; findings age immediately |
| Full E5 licensing upgrade | €[X]/user/year | 30 days | Solves tooling gaps; does not address architecture, process, or accumulated technical debt |
| Managed security service (MSSP) | €[X]/month | Ongoing | Outsources detection; does not reduce structural fragility; dependency without capability transfer |
| Antifragile programme (this proposal) | €[X] | 180 days + retained | Structural change, regulatory evidence, measurable kill chain closure, client operational independence |
Page 4: Return on Investment
Frame: The return is not revenue. It is avoided cost + preserved optionality + regulatory license to operate.
Quantifiable Returns
| Return Category | Calculation | 12-Month Value | 24-Month Value |
|---|---|---|---|
| Avoided ransomware recovery | Probability reduction × €4.5M | €[X] | €[Y] |
| Avoided regulatory fine | Probability reduction × % GT | €[X] | €[Y] |
| Insurance premium reduction | 10-20% reduction on cyber premium | €[X] | €[Y] |
| Audit preparation time reduction | ASTRAL Git trail replaces manual evidence gathering for ISO 27001, NIS2, DORA | €[X] | €[Y] |
| Reduced incident response cost | Faster detection and containment | €[X] | €[Y] |
| Total Quantifiable Return | €[X] | €[Y] |
Strategic Returns (Narrative)
| Return Category | Description |
|---|---|
| Regulatory agility | Demonstrable continuous controls accelerate regulatory approvals, certification audits, and partnership due diligence |
| Regulatory agility | Demonstrable resilience accelerates regulatory approvals, market entries, and partnership discussions |
| Talent retention | Engineers and security professionals prefer organizations that invest in durability over firefighting |
| M&A readiness | Clean identity architecture, tested recovery, and documented controls increase valuation and reduce due-diligence friction |
| Vendor negotiation leverage | Documented exit architectures improve negotiating position with all major suppliers |
ROI Summary
ROI = (Total Return - Total Investment) / Total Investment × 100%
Present as: "This program delivers a [X]% return in year one, rising to [Y]% in year two, with strategic optionality that compounds beyond quantification."
Page 5: Risk and Sensitivity Analysis
Frame: We are honest about what could go wrong. That honesty is why you should trust us.
Program Risks
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Operational disruption during hygiene phase | Medium | Medium | Changes executed in maintenance windows; rollback procedures documented; "get out of jail free" executive authorization |
| Client team capacity constraints | High | Medium | Weekly sprints with clear priorities; we do the heavy lifting; client provides decisions, not labor |
| Scope creep | Medium | High | Ruthless phase gating; kill chain prioritization; deferred items tracked for future phases |
| Tool activation reveals deeper problems | High | Low | This is the point. Early discovery is cheaper than late discovery. |
| Executive sponsor departure | Low | High | Board-level endorsement; documented in steering committee minutes; knowledge transfer at each phase |
Sensitivity Analysis
| Scenario | Investment Adjustment | Outcome |
|---|---|---|
| Best case | No additional tooling needed; client IT team engaged and responsive | Programme completes on timeline; all value from configuration; client operational independence achieved at day 180 |
| Base case | Minor tooling additions; moderate IT team availability; some change management friction | Programme completes with 2–4 week slippage on Phase 2 (MFA rollout change management is the usual bottleneck); strong kill chain closure and detection capability |
| Challenging | Significant technical debt discovered in Phase 1; IT team constrained; change windows infrequent | Phase 1 extended by 4–6 weeks; Phase 2 scope narrowed to kill chain critical path; programme value is still genuine — the findings alone are worth the investment; honest client conversation required at day 60 gate |
| Abort condition | Executive sponsor departure; IT team fully occupied by another major project; scope fundamentally different from discovery call | Programme paused or stopped at the next gate. Partial phases produce partial value — ASTRAL/PULSAR deployed, kill chain documented. Better to stop honestly than to produce a report that nobody acts on. |
Page 6: Recommendation and Next Steps
The Ask (Full Programme):
"We recommend approval of a 180-day antifragile enterprise programme with three hard milestones. By Day 30: your kill chain is documented, ASTRAL and PULSAR are live, and your most privileged accounts are hardened. By Day 90: MFA covers the entire organisation, your kill chain is closed, and you have detection capability on M365. By Day 180: your team operates the systems independently, housekeeping is running as a permanent stream, and everything we built is in your repository. That is the 180-day programme. What comes after is a retained scope — scoped separately, renewed quarterly."
The Ask (Modular Alternative):
"Alternatively, we can start with a single, fixed-scope module chosen based on your highest-priority pain. Each module is 30-60 days, fixed price, with defined deliverables and a hard stop. If the value is proven, we proceed to the next module. If not, you have still received a complete, bounded solution. See Modular Engagements for the module menu."
Immediate Next Steps:
| Step | Owner | Timeline |
|---|---|---|
| Executive sponsor designation | CEO / Board | Week 0 |
| Steering committee scheduling | COO / Chief of Staff | Week 0 |
| Data room access (AD, cloud IAM, network diagrams) | CISO / IT Director | Week 0 |
| SOW execution and kickoff | Procurement / Consultant | Week 1 |
| Week 1 stakeholder interviews | Consultant | Week 1 |
| Day 30 steering committee and go/no-go | Executive Sponsor | Day 30 |
Vertical-Specific Financial Adjustments
Banking
- Regulatory fine exposure: DORA fines up to 2% of global turnover; use client's actual global turnover
- SWIFT CSP non-compliance: Potential disconnection from SWIFT network; catastrophic for international payments
- PSD2 SCA failure: Transaction rejection rates, customer abandonment, regulator attention
- Insurance context: Many banks are self-insured for cyber; frame as direct balance-sheet protection
Telco / Power (Critical Infrastructure)
- NIS2 penalties: Up to €10M or 2% of global turnover (whichever is higher)
- Operational downtime: Power outages measured in €/minute; telco downtime in subscriber churn
- National security implications: Some incidents trigger government intervention or nationalization risk
- Supply chain: Single vendor failure can disable critical infrastructure; optionality has direct monetary value
Generic Enterprise
- Ransomware: Primary quantifiable risk; use industry averages if client-specific data unavailable
- Business interruption: Use revenue/day × estimated downtime
- Reputation: Use customer acquisition cost × estimated churn from breach notification
The CFO Conversation: Key Metrics
When presenting to the CFO, lead with these metrics and no others:
- Expected loss without intervention (24 months): €[X]
- Program cost: €[Y]
- Risk reduction ROI: [Z]%
- Cash payback period: [X] days
- Probability of material incident: [before]% → [after]%
Everything else is supporting detail.
Template Appendix: Client-Specific Worksheets
Worksheet 1: Revenue at Risk
Annual revenue: €_________
Revenue per day: €_________ (annual / 365)
Critical system downtime tolerance: _________ days
Revenue at risk from downtime: €_________ (revenue/day × tolerance)
Worksheet 2: Regulatory Fine Exposure
Global turnover (if applicable): €_________
Applicable regulation: [DORA / NIS2 / National / None]
Maximum fine %: _________%
Maximum fine €: €_________
Probability of fine (current): _________%
Expected fine exposure: €_________
Worksheet 3: Cloud AI Cost Trajectory
Current monthly cloud AI spend: €_________
Projected 24-month spend: €_________
Local AI infrastructure cost: €_________
Break-even month: _________
24-month savings: €_________
Data leakage risk (narrative): [Eliminated / Reduced / Unchanged]
For the board conversation guide, see C-Suite Conversation Guide. For the one-page executive summary, see Executive Summary.