How Much Time Should You Spend On Your Password Management Business Case?

How Much Time Should You Spend On Your Password Management Business Case?

The Pain of Password Failure

It’s one of the worst case scenarios that worries security professionals: suffering a hacking incident and struggling to respond to the crisis. Alas, that’s only one way that password failure hurts organizations. Outside attacks grab the media’s attention, but they are not only security risk. Internal fraud by current and past employees and contractors is a major concern. IBM research reported in the Harvard Business Review found: “60% of all attacks were carried out by insiders.” Weak passwords contribute to that risk.

The Promised Land of Password Success

What would life be like if you had a successful, automated password management solution in place? Your password complexity policy detects and prevents weak passwords like “123456.” Your managers breathe a sigh of relief as they no longer have to track identity manually. Finally, your help desk staff celebrates because they will no longer have to answer password inquiries. If you’ve lived through the frustration of antiquated password management, you know the value of improving. However, you will still need to create a password management business case.

Creating Your Password Management Business Case Quickly

Use the following step by step process to create your business case. Don’t skip on the background preparation steps — they set you up for success. Depending on your schedule, these steps will take a few hours spread over a week to complete. It might take longer if you are in a public company or in a highly regulated industry like banking, healthcare, or defense.

1. Research your company’s business case process

Before you call a vendor or talk to security experts, find out how business cases are used and approved at your company. Look for the following:

  • Business Case Form. Is there a form, spreadsheet, or similar document that must be completed for business cases? If there is no form or defined process, you may simply have to make a presentation to your manager to move ahead.
  • Business Case Timing. Some companies only approve new business cases, especially for large and complex technology, on an annual basis.
  • Who Approves The Business Case? Who exactly will make the final decision on the business case? For example, you might need the approval of the chief information officer.
  • Find examples of approved business cases. Using your internal network, meet with two other colleagues who have recently had new projects and business cases approved. In particular, seek to find out about mistakes you can avoid and questions that executives ask.

Tip: What if your company doesn’t have a business case document? Use the Technology Business Case Template from the City of Tacoma as a starting point to organize your information.

2. Discover the company’s cybersecurity projects and priorities

In contrast to funding a new product, cybersecurity projects do not generally produce profits. Instead of creating a traditional return on investment business case, you can make a business case based on other factors. Start by finding out about the organization’s cybersecurity priorities for the year. If the company is seeking to stretch dollars, the productivity benefits of password management may be appealing.

3. Gather evidence: the cost of the password status quo

There are two types of evidence to gather for your password management business case. First, seek out quantitative information: number of password resets handled by the help desk, audit findings related to security, and time required to carry out password administration. Whenever possible, aim to translate those findings into dollar amounts. Second, look for stories showing the frustration caused by poor passwords.

4. Gather evidence: the success of comparable organizations

This may be the most difficult step of the business case, but don’t let that fact discourage you. Here’s how you find organizations that have successfully implemented password management: ask vendors and consultants in the identity and password management industry for references. Once you have that information, find out the benefits they achieved. As with previous steps, look for numbers and stories in your research.

Tip: When possible, seek examples in the same industry because such examples will be more credible in your business case.

5. Test the business case with an audience

By this point, you have gathered your insights and understand how decisions are made at the company. If you have followed along, you are already better prepared than the majority of people seeking funding for their ideas. That said, a collection of data and stories is usually not enough to win approval — you need to present it.

For the best results, present your findings to a test audience similar to the ultimate approver. By organizing your ideas and answering question, you will be much better prepared for the actual presentation. If you know “Vice President Jane Smith” will make the ultimate decision, make your test business case presentation to somebody who knows how she thinks. That will help you anticipate her questions and preferred presentation approach.

6. Identify the right forum to present your business case

If you are in a small company, you can skip this step. If you are in the Fortune 500 or another complex organization, read on.

Companies have established processes for managing new project and implementation requests for a good reason. If they allocate $10,000 or $100,000 to password management this year, they may have to say no to another request. That’s why you will need to consider the right place to present your business case. It may be a management committee or a specialized body that considers new projects. In some instances, you may have to present your business case to several committees to move ahead.

7. Win approval to implement password management

It’s game day! Walk into the presentation room and guide your audience through your business case for password management. At the end, remember to “ask for the order:” approval to spend money and resources. Note that you may be asked to make a follow up presentation to address questions or to win the support of other important stakeholders like the IT project team.


The Biggest Cybersecurity Threats Are Inside Your Company by Marc van Zadelhoff (Harvard Business Review)

Building a Business Case for Information Security (

Technology Business Case (City of Tacoma, Washington)

Written by Nelson Cicchitto