What is "IB strategy" that Business will understand

History that repeats itself in companies of any size

A working information security strategy is not just a document with slides. It is an agreement on what risks the business is willing to accept and which ones it is not. Everything else is tools for implementing that choice.

Why the IS strategy does not start with slides

A medium-sized company. One system administrator is responsible for everything. The owner does not ask about the strategy. The administrator acts on intuition. Antivirus is installed, backups are done once a week, passwords are changed once a year. Then a ransomware attack occurs. The owner pays. Because a weekly backup means a week of downtime. A week without shipments, without invoicing, without incoming payments. Customers leave for competitors. Direct losses are the salaries of employees who are idle. Indirect damage is reputation and lost contracts. Lost contracts are estimated at several months of revenue. The owner pays the ransom not because he believes in successful negotiations but because every day of downtime costs more than the ransom amount. Then everything returns to how it was.

The administrator thinks that the owner did not heed the warnings. The owner thinks that the administrator did not prevent the obvious. Both are wrong. The reason is that they were speaking different languages.

The gap between technical specialists and business

In a large company, the same thing happens with the board, but in a different way. The information security director prepares a presentation. Ten slides. Three figures on each. Abstract percentages of effectiveness. And gets rejected. Because the board does not see the connection to the real problems of the business. The numbers hang in the air without any ties to the money that the company earns or loses.

The gap is the same in both cases. Technical specialists think in terms of threats. Business thinks in terms of risks. A threat is a DDoS attack. A risk is the unavailability of a service for two days and the loss of contracts. A threat is a vulnerability in the system. A risk is an employee leaving with the customer database and a drop in revenue. While the information security director talks about technical threats, the board does not see business value. When he talks about risks — they hear money.

Why preventive protection remains on paper

Political Complexity of Acknowledging Problems

Why is this gap so hard to bridge? Because proactive protection requires the acknowledgment of problems. Hardening means disabling unused services, removing standard accounts, and setting password policies that require complexity and regular changes. Zero trust means that every request to the system is checked individually, regardless of where it came from. Such measures require the acknowledgment that systems have operated unsafely and that employees are a potential threat. Politically complicated.

It’s easier to buy a tool that promises to detect an attack after it has occurred. It doesn’t require changes. Doesn’t require admissions. This creates an illusion of control.

Incident Response Culture in IT Departments

IT professionals often take pride in their response to crises. The larger the failure, the more their competence shines through. Preventive measures deny them this opportunity. If the system doesn’t crash, no one sees how the specialist protects it. Thus, a hidden counter-motivation arises — not to work too hard on prevention in order to remain in demand at the moment of crisis.

How the Market for Reactive Tools is Structured

The Economics of Visible Effect

The market picks up on this dynamic. Reactive solutions sell better than preventive ones. Their effect is visible immediately. The system caught the attack. The effectiveness of preventive measures is invisible. If an attack hasn’t occurred, it might be due to protection or just luck. This is how the confirmation bias of presence works. We value what we see and underestimate what has been prevented. A specialist who fixes a breakdown receives thanks. A specialist who prevents a breakdown through regular maintenance does not. Similarly, a system that catches an attack receives recognition. A system that prevents an attack does not, because it seems like there was no attack.

How the Cybersecurity Market Profits from Incidents

The more companies spend on detection, the less remains for basic protection. A company buys an expensive monitoring suite but does not set up password policies. Each purchase delays addressing fundamental issues.

As a result, the information security strategy turns into a procurement strategy. A list of tools that should protect against everything. But they do not protect because they are not configured. Or they protect against the wrong things. A medium-sized company buys an enterprise-class solution and cannot configure it. The board of a large company approves a budget for tools that do not solve their specific problems.

How to Translate the Language of Threats into the Language of Risks

The Chain from Technical Threat to Business Consequence

How to fix this? Start not with tools but with risks. What can actually hinder achieving goals? For a company of one hundred people—a week of downtime and loss of customers. For a large company with a board—reputational losses and fines from regulators. For those entering new markets—non-compliance with local requirements.

Let's take a specific technical threat. The lack of multi-factor authentication for administrators. The risk chain looks like this. Compromise of the administrator's account through phishing. Access to accounting systems and the customer database. Data extraction. Sale to competitors or publication. Regulatory fines for personal data leaks. In Russian practice, these fines rarely bankrupt a company, unlike in some jurisdictions. For example, in China, the PIPL law provides for fines of up to five percent of annual turnover, which can lead to bankruptcy. In Russia, the consequences are softer but no less painful—loss of key customers, license revocations, exclusion from tenders. Such a chain shows that this is not about a technical problem but about a business risk that can be assessed in specific monetary terms.

The strategy answers the question of which risks we are willing to accept and which we are not. And how much we are willing to pay to reduce each one. This decision is made by the business, not the technical specialists. After that, the tools are selected. But there is a trap here as well—it's easy to choose those that create the appearance of work. Therefore, effectiveness metrics in business terms are important. Not how many attacks were repelled but how many contracts were preserved. Not how many vulnerabilities were closed but how much expected loss was reduced.

For the presentation, this means refraining from technical jargon. Not implementing a system with event correlation. But reducing response time from two days to two hours. Not hardening. But reducing the likelihood of a successful attack on critical infrastructure.

A working presentation structure

In Russia, management and owners adopt exactly one format for the information security strategy: 10-12 slides, 7 minutes of presentation, zero technical jargon.

The structure of ten slides works because it forces specificity. Three numbers per slide. Three goals per document. Each initiative through business impact and investments.

Slide 1. Title

“Information Security Strategy of Company ‘XXX’

To the General Director and Management Board”

Slide 2. One picture of the state ‘Today’

Three numbers:

- Current maturity level (e.g., 2.7 → 3.4)

- Expected financial losses from cyber risks over the next 3 years without changes (in rubles)

- Amount of the last fine/incident, if any

Slide 3. Target state in 3 years

Three numbers:

- Maturity level 3.8+

- Reduction of expected losses by 78% (specific amount in rubles)

- Information security budget as % of IT budget (e.g., from 4% to 9%)

Slide 4. Three strategic goals (no more)

1. Zero successful attacks with financial consequences

2. Full compliance with all regulators without fines

3. Information security as a competitive advantage (NPS growth of +7 points)

Slides 5–7. Key initiatives (one per slide)

Each initiative in the format:

Title → Business effect in rubles → Required investments → Timeline

Slide 8. Financial model for 3 years

CAPEX/OPEX table by year + ROSI 380%

Show how much money needs to be invested and what benefits we will receive.

CAPEX one-time costs for purchasing systems and licenses. In the first year maximum (we buy the main ones), then minimal (only additional purchases).

OPEX annual costs for team salaries, system support, training. Increase each year as development progresses.

ROSI return on security investment.

This means that for every ruble invested, we prevent losses of 3.8 rubles. It is calculated as the ratio of prevented losses to investments. Example in numbers:

We will invest 143 million over three years. We will prevent losses of 687 million (fines, downtimes, leaks). The net profit is 544 million. It will pay off in a year and a half. It is important for the management to see that money spent on cybersecurity is not an expense but an investment with specific returns.

Slide 9. Risks and Dependencies

We will show the three main business risks and explain how deep protection covers them. Deep protection consists of five independent levels of technical measures. Hacking one does not mean hacking all.

First Level — Perimeter Protection.

NGFW blocks network attacks and malicious traffic at the entrance to the corporate network. WAF protects web applications and sites from exploiting vulnerabilities and SQL injections. Anti-DDoS defends against massive denial-of-service attacks. WAF is deployed in the cloud to protect public services and on-premise for internal applications. Implementation takes 2 months, configuration for business processes takes another month.

Second Level — Protection of Endpoints and Servers.

EDR systems monitor all processes on workstations and servers, block the execution of malicious files, stop data encryption during ransomware attacks, rollback encrypted files to their original state. Antivirus catches known threats, while EDR detects unknown and targeted attacks based on behavior. Deployment for 5000 workstations takes 1 month, training administrators takes 2 weeks.

Third Level — Access and Data Control.

IAM centrally manages access rights, automatically revokes rights upon termination, limits access based on the principle of least privilege. MFA requires confirmation of login via SMS or an app even if the password is compromised. DLP blocks the sending of confidential documents to personal email, prohibits copying the client database to a flash drive, and controls the printing of financial reports. Integration with Active Directory and business systems takes 3 months, pilot implementation in one department takes 1 month.

Fourth Level — Monitoring and Analytics.

SIEM collects logs from all systems into a single database, correlates events, finds anomalies like admin logins at 3 AM or mass data dumps. SOAR automatically blocks suspicious accounts, isolates infected computers from the network, and sends alerts to the SOC. NTA analyzes network traffic, detects hidden communication channels with hackers' command servers, and uncovers lateral movement across the network. Deployment of SIEM takes 4 months, writing correlation rules tailored to business specifics takes another 2 months.

Fifth level — backup and recovery.

Backups of critical systems are made every 4 hours and stored in an isolated network segment inaccessible from the main infrastructure so that ransomware cannot encrypt them. The disaster recovery system automatically brings services up on backup resources within 2 hours. The backup data center in another region takes over critical processes in case of a complete failure of the main site. Building the backup system takes 6 months, with regular recovery drills every quarter.

This architecture mitigates three critical risks. Production stoppage due to ransomware will be halted by EDR stopping the encryption, backups will restore data within 2 hours, minimizing losses instead of 280 million in revenue. Leak of personal data of clients will not happen as DLP prevents data from being exfiltrated, IAM restricts access only to necessary employees, and SIEM will catch anomalous data dumps, avoiding fines and loss of clients. Sabotage or critical errors by an employee will be prevented as MFA will not allow entry with a stolen password, SOAR will automatically roll back dangerous changes, and backups will restore deleted data within 4 hours instead of leading to bankruptcy.

Slide 10. Next steps and request

“I request approval for the strategy and budget of 2.1 billion rubles.”

Three levels of persuasion according to the Roman model

Slides are just the tip of the iceberg. Decisions are made before the presentation. Roman orators taught that persuasion works on three levels.

• Logos — the logic of arguments.

• Ethos — trust in the speaker.

• Pathos — emotional impact.

Modern presentations often focus solely on logos. The correct figures in the financial model. But numbers only convince those who are already inclined to believe.

Ethos is built before the presentation. In the hallways and offices. In conversations with the financial director about the methodology of risk assessment. With the operations manager about the impact of downtimes. With the CEO about reputation. By the time of the presentation, each participant should know what personally concerns them. This preparation is not manipulation but groundwork for an honest conversation.

Pathos is achieved through specific stories of loss. Not abstract threats but real scenarios. What will happen if the system is down for two days? How many contracts will be lost? What penalties will arise? Emotional impact works not through fear but through the realization of specific consequences.

For a medium-sized company, there is no board but there is an owner. And just as important are the conversations before the main discussion. Don’t wait for an incident but show what could happen. Don’t talk about vulnerabilities but speak about customer loss. Don’t ask for money for tools but request a decision on an acceptable level of risk.

Preparation Checklist

Before such a conversation, a preparation checklist is helpful. Specific items can be adapted to scale, but the logic remains the same.

[ ] Identify the three main risks for the business specifically in numbers

[ ] Translate technical threats into business consequences

[ ] Prepare a scenario if nothing is done with specific losses

[ ] Agree on the risk assessment methodology with the decision-maker

[ ] Verify that the requested amount corresponds to the scale of the company

[ ] Test the argumentation on a business person, not from IT

This list does not guarantee success but reduces the likelihood that you are speaking a language that is not heard.

A working information security strategy starts with choosing which risks are acceptable. Everything else is a consequence of that choice and the quality of the conversations that shaped it.