Book demo
28 November 2024

Build a Business Case for Cyber Recovery Assurance

Cyber recovery assurance is a relatively new concept, but it’s one that is quickly becoming essential for most organisations.  Driven by the rapid evolution of cyber threats and a new generation of operational resilience regulations (including DORA, FISMA, PRA, and NIS2), cyber recovery innovation is thriving.

If you have evaluated the options but are struggling to get stakeholder buy-in or secure the budget for the technology you need, you are not alone.  After all, it is not like your business hasn’t already invested extensively in security and business continuity projects.

As the title suggests, the purpose of this article is to help you build a business case for your cyber recovery project. We will quickly explore the ‘why’ of cyber recovery, but the focus will be more on answering the following questions:

  1. Which department should pay for a cyber recovery project – infrastructure, security, or business continuity?
  2. What does this solution replace in my existing security, storage, or disaster recovery arsenal?
  3. How do I justify this expenditure to my financial officer?

Why Cyber Recovery Matters

After the terrorist attack on the World Trade Center in 2001, many companies scrambled to build out mirrored datacenters. Prior to this event, it was mainly the banks who could justify the expense of synchronous replication to a second or third site. As the cost of storage came down, more industries followed suit.

Since then, the threat landscape has grown and morphed, but the methods of defence have not kept pace.

The traditional threats to business continuity haven’t gone away – fires, floods, power outages, and terrorist activity – but now you must plan for cyber incidents too. In a cyber attack scenario, replication only exacerbates the problem. In 2024, ransomware attacks increased both in frequency and sophistication. Cyber criminals have increasingly targeted high-value sectors such as critical infrastructure, healthcare, telecommunications, and financial services. 

The Growing Importance of Backups.

The new threat of cyber attacks threw a spotlight on backup. Prior to this development, the backup market had started to move away from tape-based solutions – which were slow and difficult to manage – towards disk solutions. While this meant much faster recovery, it was at the expense of the ultra-safe, air-gapped tape copy – often stored in an off-site vault.

Suddenly, backup became part of the cyber problem. Threat actors were increasingly targeting backup repositories, and despite massive investment in security and disaster recovery, the ability of companies to avoid having to pay a ransom was actually decreasing. This represented a colossal return-on-investment failure of risk management.

While secure backup is critical, so is speed of recovery, so ‘rewinding’ to tape-based solutions, stored in off-site vaults, in underground bunkers, doesn’t solve the problem.

The rise of Recovery Assurance technologies has been driven by the need to guarantee that backups are safe and recoverable, before they are called-on in a crisis.

What is a Cyber Recovery Cleanroom?

Arguably, the cornerstone of any Recovery Assurance solution – a cyber recovery cleanroom is quickly becoming a necessity for operational resilience in many organisations.

A secure, isolated environment designed to proactively recover critical data and systems both before and after a cyber incident – a cleanroom is physically or logically separated from the main IT infrastructure to ensure safety from malware and unauthorised access.

With a cleanroom, users can validate the integrity of data before restoring it, ensuring that only clean, uncompromised data is reintroduced to the network. For a deeper dive into Cyber Recovery Cleanroom solutions, read our guide.

Aligning Cyber Recovery Assurance with Business Goals

According to Sophos, the average ransom in 2024 is $2.73 million. That’s an increase of $1 million from 2023.

On top of the cost of the ransom itself, organisations also face loss of income, and reputational damage. The CrowdStrike outage in July 2024, which wasn’t even a malicious attack, led to a combined loss of $4.5 billion for the Fortune 500 companies. Read the Guardian article.

If the need to recover from backups is increasingly likely, any solution which increases the predictability, while also decreasing the time to recover, will clearly align with the business goals of continuity and operational resilience.

Next, we will start to look at building a business case but before we do, consider that the average cost to run a datacentre for a medium sized company is between $5m and $15m per year (based on a mid-sized Russell 2000 company).

A second datacentre is designed for the old threat landscape of high-impact low probability events. A recovery assurance solution is designed for both new and old threats and costs a fraction of traditional disaster recovery.

Quantifying the Financial Risks of Inaction

Step 1 – Calculate downtime cost

As a rule of thumb, the average cost of an hour of downtime for mid-sized businesses is $84,650, making prevention a high-priority investment. This cost varies dramatically across different industry sectors, so, the first task in building a business case is to catalogue your applications and calculate the cost of an hour of downtime for each one.

Step 2 – Measure restore time

For each application add the time to restore from backup, assuming the backup is validated and safe to restore to production. Don’t know your restore time from backup? You are not alone. Organisations typically restore less than 1% of their data from backup in any given year.

A Recovery Risks Report can quickly give you insights into your backup environment and will help you understand the recovery time for each application.

Step 3 – Calculate Risk Premium

Map as many downtime-creating events as you can for which a recovery from backup might be required. Rank them based on likelihood and severity of impact. Examples include a localised server failure, datacentre power outage, database corruption, cyber or terrorist attack. Calculate the Risk Premium for each event. Here is an example:

Probability (P) is 1:50 in any given year, which is a 2% probability

Cost of event (C) is $1,000,000

The formula for Risk Premium = PxC

In this case the Risk Premium = 0.02 x 1,000,000 = 20,000

You could add more sophisticated techniques such as Quantitative risk analysis (QRA) or use Monte Carlo analysis, which considers many more variables and would be recommended for large projects.

Using this technique, or simply knowing your cyber insurance annual premiums will help to present a business case to a CFO in language they understand. In the example above, if the solutions cost $20,000 or less than you would expect little resistance from executives.

Step 4 – Create a Risk Matrix – Likelihood vs. Impact

Following on from Step 3 present the data in a Risk Matrix such as the one shown below.

Step 5 – Create a Cyber Resilience ROI matrix.

There is no single solution which can eliminate the risk of downtime from either a power outage or a cyber-attack. Building resilience is a journey. It’s about managing risk and taking a pragmatic approach to prioritisation. Some steps will be small, others will be much bigger.

For more information read the Closing your Cyber Recovery Gap eBook.

Once you have identified the recovery gaps in your organisation, map them out on a cost vs impact matrix (example below).

In the final assessment, it’s a judgement call. For example, if the cost of a data breach is estimated to cost your company $5 million, is an additional investment of $200,000 in a cyber recovery cleanroom, an appropriate one to dramatically reduce the impact?

Whose budget is it anyway?

According to a Splunk article, since the pandemic, IT security spending has experienced notable growth as organisations adapt to increasing cyber threats and digital transformation challenges. Recent data indicates global year-over-year growth in security and risk management spending of 14.3% in 2024, reaching $215 billion, compared to $188.1 billion in 2023. This expenditure far outweighs the equivalent figures for the backup and recovery market. And yet, the cyber insurance premiums continue to rise – suggesting the return on this investment has been poor.

Where to allocate the budget for a cyber recovery assurance project depends on its primary objectives, who stands to benefit, and who will manage it.

The considerations below are based on implementing a Cyber Recovery Cleanroom. Arguably, the security team stands to benefit the most but here are some options to think about:

  1. Infrastructure team (storage and backup).
    If the cleanroom will integrate with existing IT systems, ensure robust technical functionality, and automate manual backup administration tasks, assigning the budget to the infrastructure team is ideal. They can manage the hardware, software, and operational aspects efficiently.
  2. Security (CISO).
    When the cleanroom is aimed at mitigating advanced cyber threats or meeting compliance standards, the security team should oversee the budget. This ensures alignment with threat response and regulatory requirements, making the cleanroom a critical cybersecurity asset.
  3. Business Continuity (CFO / Compliance officer)
    For minimizing downtime and operational disruptions, the business continuity team is best suited to manage the cleanroom budget. This allocation could also help compliance officers meet regulatory requirements such as NIS2, DORA or GDPR. For a highly regulated business, a fine of 2% of revenue should be factored into any cost benefit analysis.

Ultimately, a cross-departmental approach provides the most comprehensive justification for the budget, ensuring alignment with technical, security, and business objectives.

How to get started?

If you are still struggling to get the commercial buy-in having followed the 5-step approach above, we suggest documenting your current recovery risks to provide additional evidence to support the business case. Predatar’s Recovery Risk Report evaluates vulnerabilities in recovery processes, identifying gaps in backup integrity, disaster readiness, and cyber resilience. This tool quantifies potential risks and impacts, enabling organisations to justify investment in cyber recovery assurance by demonstrating tangible benefits in operational continuity and reduced risk exposure.

Conclusion: Investing in Confidence and Resilience

Building a business case for cyber recovery assurance requires aligning its value with organisational goals like operational resilience, data integrity, and regulatory compliance. By quantifying downtime costs, assessing recovery times, and evaluating risks, buyers can clearly demonstrate the financial and operational benefits. Assigning responsibility—whether to infrastructure, security, or business continuity teams—depends on the project’s primary objectives and impact areas. Ultimately, a collaborative approach ensures the investment supports both technical needs and strategic priorities, reducing risk and enhancing preparedness for evolving cyber threats. Use tools like Predatar’s Recovery Risk Report to strengthen your case with actionable insights.

Learn more about
Predatar recovery assurance