Claude Sonnet 4.6
878fca3f0b
rapid-modernisation-plan.md: - Add honest framing section: what 180 days delivers vs. what takes 2-3 years - Extend Phase 1 from 30 to 60 days; rename to Visibility - Remove dangerous 'disable all unknown accounts in week 1-2' instruction - Replace Phase 3 (AI Sovereignty) with Signal and Retained Capability - Phase 3 now: detection engineering, alert runbooks, knowledge transfer - Phase 4 made explicitly open-ended (not complete at day 180) - Fix success metrics: remove unverifiable targets, replace with honest ones - Remove 'compress Phases 1-2 into 30 days for small orgs' adaptation - Add 'What This Plan Is Not' practitioner section - ASTRAL and PULSAR integrated as Phase 1 deliverables - AI Sovereignty moved to multi-year parallel initiative business-case-template.md: - Break-even corrected: Day 90 -> 12-18 months post-programme - Phase budget table updated: 30/30/30/90 -> 60/60/60/ongoing - Phase names and deliverables aligned with revised RMP - AI sovereignty removed from core deliverables - Sensitivity analysis: 3 scenarios -> 4 including abort condition - Alternatives table: AI sovereignty removed from Antifragile programme description - ROI table: cloud AI cost line replaced with audit preparation time saving - The Ask: 30-day first gate -> 60-day first gate Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
14 KiB
14 KiB
Business Case Template
"The board does not buy security. The board buys risk reduction, regulatory survival, and competitive advantage. Price it accordingly."
This template provides a reusable structure for building financial justification for antifragile engagements. It is designed to be adapted per client, per vertical, and per regulatory context. The output should be a 4-6 page document that a CFO can evaluate in 15 minutes.
Document Structure
Page 1: Executive Summary
Subtitle: Investment Proposal: Antifragile Enterprise Program
| Element | Content |
|---|---|
| Investment ask | €[X] over 180 days, phase-gated with go/no-go decisions at days 60, 120, 180 |
| Primary return | Reduction of existential cyber risk; regulatory compliance evidence; operational resilience demonstrable to auditors and insurers |
| Break-even | 12–18 months post-programme: insurance premium reductions take one renewal cycle; regulatory evidence value accumulates from day 1; incident avoidance value is probabilistic but compounding |
| Risk of inaction | Quantified below; summary: [X]% probability of material incident within 24 months at estimated cost of €[Y] |
Page 2: Cost of Inaction
Frame: The most expensive decision is the one not to act.
Direct Costs (Quantifiable)
| Risk Category | Probability (Client-Specific) | Average Industry Cost | Expected Value |
|---|---|---|---|
| Ransomware incident (recovery + downtime) | [X]% | €4.5M | €[X * 4.5M] |
| Regulatory fine (DORA / NIS2 / national) | [X]% | 1-2% global turnover | €[X * % GT] |
| Data breach notification and remediation | [X]% | €3.8M (per IBM Cost of Data Breach Report) | €[X * 3.8M] |
| Cloud AI vendor price increase / lock-in | [X]% | 200-500% price shock | €[X * shock] |
| Competitive intelligence loss (cloud AI training) | [X]% | Unquantifiable but existential | High |
Calculation:
Expected Loss = Σ (Probability_i × Cost_i)
Present this as: "Without intervention, the organization faces an expected loss of €[X] over 24 months. The proposed program costs €[Y], representing a [Z]:1 return on risk reduction."
Indirect Costs (Narrative)
- Reputational damage: Customer churn, difficulty acquiring new business, talent attrition
- Operational paralysis: During an incident, leadership attention is diverted from growth to survival
- Insurance premium increases: Cyber insurers are tightening terms; resilience demonstrably reduces premiums
- Regulatory scrutiny: A single incident triggers multi-year regulatory attention and reporting obligations
Page 3: Investment Structure
Frame: We spend your money as if it were our own. Configuration first. Purchase only if justified.
Phase-Gated Budget
| Phase | Timeline | Primary Activity | Estimated Cost | Go/No-Go Gate |
|---|---|---|---|---|
| 1. Visibility | Days 0–60 | Kill chain mapping; T0 identity hardening; ASTRAL/PULSAR deployment; T0 backup verified | €[X] (primarily labor) | Day 60: Kill chain documented and T0 hardening complete |
| 2. Control | Days 60–120 | MFA for all users; CA baseline; attack surface reduction; vendor hardening | €[X] (labor + minimal tooling) | Day 120: MFA enforced 100%; P0/P1 vulnerabilities closed |
| 3. Signal | Days 120–180 | Detection rules; alert runbooks; knowledge transfer; housekeeping stream operational | €[X] (labor) | Day 180: Client operates independently; housekeeping running |
| 4. Retained capability | Ongoing | Quarterly retained scope; detection engineering; housekeeping; structural improvements | €[X]/quarter | Ongoing: measurable queue reduction; annual BloodHound/Elysium |
| Total (180-day programme) | 180 days | €[X] |
Cost Categories
| Category | Typical % of Budget | Description |
|---|---|---|
| Consulting / Labor | 60-70% | Configuration, process design, training, documentation |
| Existing Tool Activation | 0% | Included in current licensing; no new purchase |
| Local AI Infrastructure | 10-20% | Hardware or sovereign cloud for inference (only if pilot justifies) |
| External Testing | 10-15% | Red team, penetration testing, regulatory validation |
| Training / Change Management | 5-10% | Security awareness, champion programs, board briefings |
Compare to Alternatives
| Alternative Approach | Cost | Timeline | Risk |
|---|---|---|---|
| Do nothing | €0 | — | Expected loss €[X] over 24 months; growing regulatory exposure |
| Traditional security audit | €[X] | 90 days | Produces report; no structural change; findings age immediately |
| Full E5 licensing upgrade | €[X]/user/year | 30 days | Solves tooling gaps; does not address architecture, process, or accumulated technical debt |
| Managed security service (MSSP) | €[X]/month | Ongoing | Outsources detection; does not reduce structural fragility; dependency without capability transfer |
| Antifragile programme (this proposal) | €[X] | 180 days + retained | Structural change, regulatory evidence, measurable kill chain closure, client operational independence |
Page 4: Return on Investment
Frame: The return is not revenue. It is avoided cost + preserved optionality + regulatory license to operate.
Quantifiable Returns
| Return Category | Calculation | 12-Month Value | 24-Month Value |
|---|---|---|---|
| Avoided ransomware recovery | Probability reduction × €4.5M | €[X] | €[Y] |
| Avoided regulatory fine | Probability reduction × % GT | €[X] | €[Y] |
| Insurance premium reduction | 10-20% reduction on cyber premium | €[X] | €[Y] |
| Audit preparation time reduction | ASTRAL Git trail replaces manual evidence gathering for ISO 27001, NIS2, DORA | €[X] | €[Y] |
| Reduced incident response cost | Faster detection and containment | €[X] | €[Y] |
| Total Quantifiable Return | €[X] | €[Y] |
Strategic Returns (Narrative)
| Return Category | Description |
|---|---|
| Regulatory agility | Demonstrable continuous controls accelerate regulatory approvals, certification audits, and partnership due diligence |
| Regulatory agility | Demonstrable resilience accelerates regulatory approvals, market entries, and partnership discussions |
| Talent retention | Engineers and security professionals prefer organizations that invest in durability over firefighting |
| M&A readiness | Clean identity architecture, tested recovery, and documented controls increase valuation and reduce due-diligence friction |
| Vendor negotiation leverage | Documented exit architectures improve negotiating position with all major suppliers |
ROI Summary
ROI = (Total Return - Total Investment) / Total Investment × 100%
Present as: "This program delivers a [X]% return in year one, rising to [Y]% in year two, with strategic optionality that compounds beyond quantification."
Page 5: Risk and Sensitivity Analysis
Frame: We are honest about what could go wrong. That honesty is why you should trust us.
Program Risks
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Operational disruption during hygiene phase | Medium | Medium | Changes executed in maintenance windows; rollback procedures documented; "get out of jail free" executive authorization |
| Client team capacity constraints | High | Medium | Weekly sprints with clear priorities; we do the heavy lifting; client provides decisions, not labor |
| Scope creep | Medium | High | Ruthless phase gating; kill chain prioritization; deferred items tracked for future phases |
| Tool activation reveals deeper problems | High | Low | This is the point. Early discovery is cheaper than late discovery. |
| Executive sponsor departure | Low | High | Board-level endorsement; documented in steering committee minutes; knowledge transfer at each phase |
Sensitivity Analysis
| Scenario | Investment Adjustment | Outcome |
|---|---|---|
| Best case | No additional tooling needed; client IT team engaged and responsive | Programme completes on timeline; all value from configuration; client operational independence achieved at day 180 |
| Base case | Minor tooling additions; moderate IT team availability; some change management friction | Programme completes with 2–4 week slippage on Phase 2 (MFA rollout change management is the usual bottleneck); strong kill chain closure and detection capability |
| Challenging | Significant technical debt discovered in Phase 1; IT team constrained; change windows infrequent | Phase 1 extended by 4–6 weeks; Phase 2 scope narrowed to kill chain critical path; programme value is still genuine — the findings alone are worth the investment; honest client conversation required at day 60 gate |
| Abort condition | Executive sponsor departure; IT team fully occupied by another major project; scope fundamentally different from discovery call | Programme paused or stopped at the next gate. Partial phases produce partial value — ASTRAL/PULSAR deployed, kill chain documented. Better to stop honestly than to produce a report that nobody acts on. |
Page 6: Recommendation and Next Steps
The Ask (Full Programme):
"We recommend approval of a 180-day antifragile enterprise programme, structured in three 60-day phases with hard go/no-go gates. The initial 60-day investment is €[X] with a defined deliverable: the kill chain documented, T0 accounts hardened, and ASTRAL/PULSAR deployed. If the kill chain is not closed by day 60, the programme stops with no further obligation. The 180-day programme produces a hardened foundation and a client team that can operate it independently — not a complete transformation. What comes after that is a retained capability engagement, scoped separately."
The Ask (Modular Alternative):
"Alternatively, we can start with a single, fixed-scope module chosen based on your highest-priority pain. Each module is 30-60 days, fixed price, with defined deliverables and a hard stop. If the value is proven, we proceed to the next module. If not, you have still received a complete, bounded solution. See Modular Engagements for the module menu."
Immediate Next Steps:
| Step | Owner | Timeline |
|---|---|---|
| Executive sponsor designation | CEO / Board | Week 0 |
| Steering committee scheduling | COO / Chief of Staff | Week 0 |
| Data room access (AD, cloud IAM, network diagrams) | CISO / IT Director | Week 0 |
| SOW execution and kickoff | Procurement / Consultant | Week 1 |
| Week 1 stakeholder interviews | Consultant | Week 1 |
| Day 30 steering committee and go/no-go | Executive Sponsor | Day 30 |
Vertical-Specific Financial Adjustments
Banking
- Regulatory fine exposure: DORA fines up to 2% of global turnover; use client's actual global turnover
- SWIFT CSP non-compliance: Potential disconnection from SWIFT network; catastrophic for international payments
- PSD2 SCA failure: Transaction rejection rates, customer abandonment, regulator attention
- Insurance context: Many banks are self-insured for cyber; frame as direct balance-sheet protection
Telco / Power (Critical Infrastructure)
- NIS2 penalties: Up to €10M or 2% of global turnover (whichever is higher)
- Operational downtime: Power outages measured in €/minute; telco downtime in subscriber churn
- National security implications: Some incidents trigger government intervention or nationalization risk
- Supply chain: Single vendor failure can disable critical infrastructure; optionality has direct monetary value
Generic Enterprise
- Ransomware: Primary quantifiable risk; use industry averages if client-specific data unavailable
- Business interruption: Use revenue/day × estimated downtime
- Reputation: Use customer acquisition cost × estimated churn from breach notification
The CFO Conversation: Key Metrics
When presenting to the CFO, lead with these metrics and no others:
- Expected loss without intervention (24 months): €[X]
- Program cost: €[Y]
- Risk reduction ROI: [Z]%
- Cash payback period: [X] days
- Probability of material incident: [before]% → [after]%
Everything else is supporting detail.
Template Appendix: Client-Specific Worksheets
Worksheet 1: Revenue at Risk
Annual revenue: €_________
Revenue per day: €_________ (annual / 365)
Critical system downtime tolerance: _________ days
Revenue at risk from downtime: €_________ (revenue/day × tolerance)
Worksheet 2: Regulatory Fine Exposure
Global turnover (if applicable): €_________
Applicable regulation: [DORA / NIS2 / National / None]
Maximum fine %: _________%
Maximum fine €: €_________
Probability of fine (current): _________%
Expected fine exposure: €_________
Worksheet 3: Cloud AI Cost Trajectory
Current monthly cloud AI spend: €_________
Projected 24-month spend: €_________
Local AI infrastructure cost: €_________
Break-even month: _________
24-month savings: €_________
Data leakage risk (narrative): [Eliminated / Reduced / Unchanged]
For the board conversation guide, see C-Suite Conversation Guide. For the one-page executive summary, see Executive Summary.