You’ve been hacked. You’ve been hit with a long list of IT security audit findings. It’s time to tighten your defenses. That’s a good time to introduce or expand the use of multi-factor authentication at your company. There’s just one problem. How do you get the other executives in your organization to buy in and support your MFA business case?
Why You Need an MFA Business Case
Start with why you need a business case for multi-factor authentication. As an IT leader, you immediately see the value of MFA. Instead of relying upon a single password that may be easily hacked or lost, your systems will be protected by two, three, or more layers of authentication. Thus, attacking your organization will be dramatically more difficult.
Unfortunately, other executives may see your request for multi-factor authentication as just another IT security budget request. You might be told, “didn’t we already increase the cybersecurity budget this year?” or “we haven’t had an authentication problem, so there’s no need to invest in this piece.” A preference for the status quo is one challenge you face. To overcome that resistance, you need to develop and present a persuasive business case.
Your Step-by-step Business Plan to Build an MFA Business Case
Use each step in the process in sequence, and you’ll have a much greater chance of winning approval.
1. Define the Expensive Problem
You might expect this process to start with an in-depth analysis of multi-factor authentication (MFA) technology. That’s the wrong place to start. Instead, you need to take a step back and ask, “what problem does MFA solve?” Business decision makers tend to be much more willing to approve spending and resource requests when they can see a clear problem to solve.
Some examples of MFA-related problems you could investigate include:
- Partner request: Your company may be pursuing a partnership arrangement with a large technology firm. However, the deal may stall if the partner considers your firm’s security to be weak. Implementing MFA may help show that your organization is serious about cybersecurity.
- Regulatory pressure: In regulated industries such as banking, there’s substantial pressure from regulatory bodies to deliver better cyber defenses. If you’ve upgraded other parts of your defenses but neglected authentication, MFA implementation may become a priority.
- Recent security incidents: Did your root cause analysis of a recent hacking incident highlight poor authentication practices as a contributing cause? If so, that’s a critical problem to solve.
2. Estimate the Benefits of MFA Implementation
You’ve identified the expensive problem that MFA will solve. Now, you need to show what the future will look like after you implement this solution. For example, can you reduce the number of security incidents in half because your systems will be much harder to close? Alternatively, can you tell the sales team to pursue defense contractors because your company now meets their security expectations? During this step, come up with ideas and make sure to validate them with other people in the organization.
Tip: Start with emphasizing risk reduction and productivity gains as the main benefits of your MFA project.
3. Find Appropriate Multi-factor Authentication Solution Providers
Turn your attention to the marketplace to find the MFA solutions that are right for your company. We recommend you choose a solution that leverages industry standards such as FIDO2. With FIDO2, your company doesn’t have to invest in expensive hardware MFA tools. Instead, you can use Avatier to bring this accessible MFA solution to your organization.
Do you want to add biometrics and one-time passcodes for highly sensitive users? Avatier supports these types of multi-factor authentication as well.
4. Outline the Implementation Plan
Think of this step as creating a one-page project plan. Develop a high-level budget, choose the project manager, and estimate how long it’ll take to implement in your organization. If your organization has a PMO (project management office), ask if they have any templates you can use in this step.
5. Present the Business Case for Approval
Your final step is to present the business case to a decision maker or committee to ask for approval. If possible, request the opportunity to present the business case personally rather than submitting a document only. When you present in person, you’ll have the chance to answer questions, which increases the odds of winning approval for your MFA project.
Suppose Your Business Case Isn’t Approved
First, don’t worry, as this happens to the best of them. Consider the most common problems you may encounter.
Wrong Decision Maker
You may have presented to the CIO when the Chief Technology Officer is responsible for security. If you ask the wrong people for approval, you’re sunk before you start. Leverage your internal network to confirm you’re addressing your business case presentation to the right people.
Timing Problems
If you present your business case a month after the annual budget is approved, you’re not going to see a dollar. If you need to go through the annual budget process, find out the timeline you need to follow for new initiatives to be considered next year.
Technical Objections
You may face some tough technical questions when you propose MFA. For example, will MFA decrease productivity? Does the IT team have the skills to support an MFA solution? If you receive these questions, it’s a good sign! Take note of them and ask to come back with answers in a week. If you can provide reasonable answers to these MFA objections, your business case is likely to be approved.