Tomas Kracmar
763da003d3
Complete repository of frameworks, playbooks, and assessment resources for cybersecurity consultations focused on antifragile enterprise design. Includes: - Core philosophy and manifest (5 pillars) - 12 modular engagement packages - AI sovereignty and operations frameworks - Zero-budget vulnerability discovery and hardening playbooks - M365 E3 hardening and antifragile project plans - Osquery sovereign discovery platform blueprint - Perimeter scanning capability guide - AI-assisted TVM blueprint for AI-powered adversaries - Vertical specializations: banking, telco, power/utilities - CIS Controls v8 and NIST CSF 2.0 mappings - Risk registers and assessment templates - C-suite conversation guide and business case templates
12 KiB
12 KiB
Business Case Template
"The board does not buy security. The board buys risk reduction, regulatory survival, and competitive advantage. Price it accordingly."
This template provides a reusable structure for building financial justification for antifragile engagements. It is designed to be adapted per client, per vertical, and per regulatory context. The output should be a 4-6 page document that a CFO can evaluate in 15 minutes.
Document Structure
Page 1: Executive Summary
Subtitle: Investment Proposal: Antifragile Enterprise Program
| Element | Content |
|---|---|
| Investment ask | €[X] over 180 days, phase-gated with go/no-go decisions at days 30, 60, 90 |
| Primary return | Reduction of existential cyber risk; regulatory compliance evidence; competitive differentiation through AI sovereignty |
| Break-even | Day 90 (via avoided regulatory fine exposure, reduced insurance premiums, or operational resilience) |
| Risk of inaction | Quantified below; summary: [X]% probability of material incident within 24 months at estimated cost of €[Y] |
Page 2: Cost of Inaction
Frame: The most expensive decision is the one not to act.
Direct Costs (Quantifiable)
| Risk Category | Probability (Client-Specific) | Average Industry Cost | Expected Value |
|---|---|---|---|
| Ransomware incident (recovery + downtime) | [X]% | €4.5M | €[X * 4.5M] |
| Regulatory fine (DORA / NIS2 / national) | [X]% | 1-2% global turnover | €[X * % GT] |
| Data breach notification and remediation | [X]% | €3.8M (per IBM Cost of Data Breach Report) | €[X * 3.8M] |
| Cloud AI vendor price increase / lock-in | [X]% | 200-500% price shock | €[X * shock] |
| Competitive intelligence loss (cloud AI training) | [X]% | Unquantifiable but existential | High |
Calculation:
Expected Loss = Σ (Probability_i × Cost_i)
Present this as: "Without intervention, the organization faces an expected loss of €[X] over 24 months. The proposed program costs €[Y], representing a [Z]:1 return on risk reduction."
Indirect Costs (Narrative)
- Reputational damage: Customer churn, difficulty acquiring new business, talent attrition
- Operational paralysis: During an incident, leadership attention is diverted from growth to survival
- Insurance premium increases: Cyber insurers are tightening terms; resilience demonstrably reduces premiums
- Regulatory scrutiny: A single incident triggers multi-year regulatory attention and reporting obligations
Page 3: Investment Structure
Frame: We spend your money as if it were our own. Configuration first. Purchase only if justified.
Phase-Gated Budget
| Phase | Timeline | Primary Activity | Estimated Cost | Go/No-Go Gate |
|---|---|---|---|---|
| 1. Hygiene | Days 0-30 | Configuration of existing tools; identity cleanse; visibility | €[X] (primarily labor) | Day 30: Demonstrate risk reduction or stop |
| 2. Control | Days 30-60 | ASR, MFA enforcement, network segmentation, vendor lockdown | €[X] (labor + minimal tooling) | Day 60: Validate control effectiveness |
| 3. Sovereignty | Days 60-90 | Local AI pilot; recovery drills; T0 asset protection | €[X] (labor + local inference hardware if needed) | Day 90: Prove local AI viability |
| 4. Antifragility | Days 90-180 | Chaos engineering; red team; continuous improvement | €[X] (labor + external testing) | Day 180: Maturity assessment and next-phase planning |
| Total | 180 days | €[X] |
Cost Categories
| Category | Typical % of Budget | Description |
|---|---|---|
| Consulting / Labor | 60-70% | Configuration, process design, training, documentation |
| Existing Tool Activation | 0% | Included in current licensing; no new purchase |
| Local AI Infrastructure | 10-20% | Hardware or sovereign cloud for inference (only if pilot justifies) |
| External Testing | 10-15% | Red team, penetration testing, regulatory validation |
| Training / Change Management | 5-10% | Security awareness, champion programs, board briefings |
Compare to Alternatives
| Alternative Approach | Cost | Timeline | Risk |
|---|---|---|---|
| Do nothing | €0 | — | Expected loss €[X] over 24 months |
| Traditional security audit | €[X] | 90 days | Produces report; no structural change |
| Full E5 licensing upgrade | €[X]/user/year | 30 days | Solves some gaps; does not address architecture or AI sovereignty |
| Managed security service (MSSP) | €[X]/month | Ongoing | Outsources detection; does not reduce structural fragility |
| Antifragile program (this proposal) | €[X] | 180 days | Structural change, regulatory evidence, AI sovereignty, measurable resilience |
Page 4: Return on Investment
Frame: The return is not revenue. It is avoided cost + preserved optionality + regulatory license to operate.
Quantifiable Returns
| Return Category | Calculation | 12-Month Value | 24-Month Value |
|---|---|---|---|
| Avoided ransomware recovery | Probability reduction × €4.5M | €[X] | €[Y] |
| Avoided regulatory fine | Probability reduction × % GT | €[X] | €[Y] |
| Insurance premium reduction | 10-20% reduction on cyber premium | €[X] | €[Y] |
| Cloud AI cost stabilization | Shift from variable API costs to fixed infra | €[X] | €[Y] |
| Reduced incident response cost | Faster detection and containment | €[X] | €[Y] |
| Total Quantifiable Return | €[X] | €[Y] |
Strategic Returns (Narrative)
| Return Category | Description |
|---|---|
| Competitive moat | Proprietary data improves only your models; competitors cannot replicate your operational intelligence |
| Regulatory agility | Demonstrable resilience accelerates regulatory approvals, market entries, and partnership discussions |
| Talent retention | Engineers and security professionals prefer organizations that invest in durability over firefighting |
| M&A readiness | Clean identity architecture, tested recovery, and documented controls increase valuation and reduce due-diligence friction |
| Vendor negotiation leverage | Documented exit architectures improve negotiating position with all major suppliers |
ROI Summary
ROI = (Total Return - Total Investment) / Total Investment × 100%
Present as: "This program delivers a [X]% return in year one, rising to [Y]% in year two, with strategic optionality that compounds beyond quantification."
Page 5: Risk and Sensitivity Analysis
Frame: We are honest about what could go wrong. That honesty is why you should trust us.
Program Risks
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Operational disruption during hygiene phase | Medium | Medium | Changes executed in maintenance windows; rollback procedures documented; "get out of jail free" executive authorization |
| Client team capacity constraints | High | Medium | Weekly sprints with clear priorities; we do the heavy lifting; client provides decisions, not labor |
| Scope creep | Medium | High | Ruthless phase gating; kill chain prioritization; deferred items tracked for future phases |
| Tool activation reveals deeper problems | High | Low | This is the point. Early discovery is cheaper than late discovery. |
| Executive sponsor departure | Low | High | Board-level endorsement; documented in steering committee minutes; knowledge transfer at each phase |
Sensitivity Analysis
| Scenario | Investment Adjustment | Outcome |
|---|---|---|
| Best case | No additional tooling needed | Program completes under budget; all value from configuration |
| Base case | Local AI hardware required for pilot | Slight budget increase; sovereign intelligence proven |
| Worst case | Deeper technical debt than anticipated | Extend Phase 1 by 30 days; additional labor cost; still cheaper than incident |
Page 6: Recommendation and Next Steps
The Ask (Full Program):
"We recommend approval of a 180-day antifragile enterprise program, structured in four 30-60-90-180 day phases with hard go/no-go gates. The initial 30-day investment is €[X] with a defined deliverable: identification and initial closure of the organizational kill chain. If measurable risk reduction is not demonstrated by Day 30, the program stops with no further obligation."
The Ask (Modular Alternative):
"Alternatively, we can start with a single, fixed-scope module chosen based on your highest-priority pain. Each module is 30-60 days, fixed price, with defined deliverables and a hard stop. If the value is proven, we proceed to the next module. If not, you have still received a complete, bounded solution. See Modular Engagements for the module menu."
Immediate Next Steps:
| Step | Owner | Timeline |
|---|---|---|
| Executive sponsor designation | CEO / Board | Week 0 |
| Steering committee scheduling | COO / Chief of Staff | Week 0 |
| Data room access (AD, cloud IAM, network diagrams) | CISO / IT Director | Week 0 |
| SOW execution and kickoff | Procurement / Consultant | Week 1 |
| Week 1 stakeholder interviews | Consultant | Week 1 |
| Day 30 steering committee and go/no-go | Executive Sponsor | Day 30 |
Vertical-Specific Financial Adjustments
Banking
- Regulatory fine exposure: DORA fines up to 2% of global turnover; use client's actual global turnover
- SWIFT CSP non-compliance: Potential disconnection from SWIFT network; catastrophic for international payments
- PSD2 SCA failure: Transaction rejection rates, customer abandonment, regulator attention
- Insurance context: Many banks are self-insured for cyber; frame as direct balance-sheet protection
Telco / Power (Critical Infrastructure)
- NIS2 penalties: Up to €10M or 2% of global turnover (whichever is higher)
- Operational downtime: Power outages measured in €/minute; telco downtime in subscriber churn
- National security implications: Some incidents trigger government intervention or nationalization risk
- Supply chain: Single vendor failure can disable critical infrastructure; optionality has direct monetary value
Generic Enterprise
- Ransomware: Primary quantifiable risk; use industry averages if client-specific data unavailable
- Business interruption: Use revenue/day × estimated downtime
- Reputation: Use customer acquisition cost × estimated churn from breach notification
The CFO Conversation: Key Metrics
When presenting to the CFO, lead with these metrics and no others:
- Expected loss without intervention (24 months): €[X]
- Program cost: €[Y]
- Risk reduction ROI: [Z]%
- Cash payback period: [X] days
- Probability of material incident: [before]% → [after]%
Everything else is supporting detail.
Template Appendix: Client-Specific Worksheets
Worksheet 1: Revenue at Risk
Annual revenue: €_________
Revenue per day: €_________ (annual / 365)
Critical system downtime tolerance: _________ days
Revenue at risk from downtime: €_________ (revenue/day × tolerance)
Worksheet 2: Regulatory Fine Exposure
Global turnover (if applicable): €_________
Applicable regulation: [DORA / NIS2 / National / None]
Maximum fine %: _________%
Maximum fine €: €_________
Probability of fine (current): _________%
Expected fine exposure: €_________
Worksheet 3: Cloud AI Cost Trajectory
Current monthly cloud AI spend: €_________
Projected 24-month spend: €_________
Local AI infrastructure cost: €_________
Break-even month: _________
24-month savings: €_________
Data leakage risk (narrative): [Eliminated / Reduced / Unchanged]
For the board conversation guide, see C-Suite Conversation Guide. For the one-page executive summary, see Executive Summary.