Five Steps to a Bulletproof Business Case for MDR

Tackling your toughest threat — budget approval

For many cybersecurity leaders, the most intimidating threat they encounter isn’t an adversary — it’s the daunting prospect of trying to win over key business stakeholders and obtain vital budget. Especially in today’s economic climate, making the case for why new cybersecurity initiatives, like the addition of a managed detection and response (MDR) service, should be funded and prioritized over other competing business (or security) initiatives can feel like a fool’s errand. But it doesn’t need to be.

Fortunately, whether you’re charged with protecting a small to medium-sized business (SMB) or a global Fortune 500, there are easy and effective methods to build a bulletproof business case and win over even your harshest, most obstinate cybersecurity critics.

Win MDR Budget with Clear-Cut ROI Calculations

Ultimately, convincing the business to allocate resources to a new MDR service hinges on your ability to clearly articulate the business value these added capabilities will provide. Focus on the language and terms that financial decision-makers know best: financial balance sheets and return on investment (ROI).

For instance, which proposal do you think your chief financial officer (CFO) will find more convincing?

Proposal #1: Our security team is too small today. We need more budget for an MDR service that can help us expand our program and better protect our organization against advanced attacks.

Proposal #2: Our security team is too small today. By adding an MDR service, we can make better use of our invested capital with an expected ROI of 403% representing a net present value (NPV) gain of more than $3 million USD annually in added SOC analyst capacity, reduced risk exposure and consolidated software. We also expect to further minimize business disruption and downtime while improving our cyber insurance rates through more favorable terms and conditions. By the way, did I mention that our investment in MDR will also allow us to scale dynamically to the size of our business and will provide us with industry-leading threat hunting and security expertise with 24/7 protection?

Clearly, we’ve phrased the two proposals in such a way that Proposal #2 stands out as the clear winner and the more effective approach to win over your CFO. It stands out because of the business-focused arguments made that are then backed by specific, impactful financial calculations. 

Five Steps to Your Own Bulletproof MDR Business Case

The key to building your business case for MDR is to incorporate concrete, quantifiable benefits and costs based on well-informed, defendable assumptions. Let’s take you through five key steps to show you how you can do this yourself — or skip straight to Step 5 and use CrowdStrike’s new, interactive ROI Calculator for MDR!

Step #1: Document Existing Skills and Coverage Gaps

Let’s face it: The global cybersecurity skills gap is wide and worsening. According to the 2023 ISC2 Cybersecurity Workforce Study, the workforce skills gap has reached record high levels of more than 4 million professionals. And the deleterious effects of this skills gap are real and affecting organizations of all sizes. In fact, 71% of security leaders believe the global skills shortage has negatively impacted their organizations, according to a 2023 ESG study.

The point is you’re far from alone in your struggle to hire, train and retain cybersecurity talent today — and addressing your workforce deficits should rise to the top of your business case. Not only can an MDR service provide the threat hunting and security analyst capacity you need, it can do so more efficiently and effectively, reaching economies of scale that only a dedicated, 24/7 security service can provide. 

Most importantly, the added analyst capacity you gain from an MDR service is sure to be one of your biggest and most straightforward cost savings conversions. For instance, according to CrowdStrike’s ROI Calculator for MDR, we estimate that a 7,000 employee organization seeing an estimated 12,000 new alerts each year will gain the added capacity equivalent of 14 threat hunting and security analyst full-time employees (FTEs) with the CrowdStrike Falcon® Complete MDR service. 

Based on current average threat hunting and security analyst salaries, this represents a present value benefit exceeding $1,750,000 USD per year. Depending on how your organization assigns threat monitoring, triage, and remediation functions, you may also find additional cost savings from reduced workloads with your IT analyst and administrator staff; the Calculator also accounts for some IT cost savings due to platform consolidation and avoided business disruption as a result of improved productivity and reduced support needs across the organization.

Figure 1. Generate your custom report with the CrowdStrike ROI Calculator for MDR


Step #2: Convert Operational KPIs into Financial ROI Figures

Without proper context, security key performance indicators (KPIs) mean little to the technical laypeople and decision-makers responsible for other parts of your business. So while it may sound impressive to you that your new MDR service will significantly expand alert coverage and reduce your overall threat exposure time by thousands of hours every year, budget approvers are far less likely to share the same sentiment unless they understand how it all relates to the business. 

To get your business peers on board with adding an MDR service, you need to convert these operational metrics into quantifiable risk exposure showing the delta between your current exposure and your exposure after an MDR service has been onboarded. As with any risk calculation, it boils down to two figures: the probability that a breach will occur (i.e., risk likelihood) and the cost of a breach should one take place (i.e., risk impact).

CrowdStrike’s ROI Calculator for MDR quantifies risk reduction savings by finding the delta between the risk environments before and after onboarding Falcon Complete MDR, focusing on the reduced likelihood of a breach after Falcon Complete MDR has been deployed. Taking the same example organization with 7,000 employees used in Step #1 and inputting a 65% triage rate of 12,000 yearly alerts, the ROI Calculator projects that by adding Falcon Complete MDR, the organization will expand alert coverage by 4,200 events covered and result in a 9,000-hour reduction in exposure time due to a faster mean time to remediate (MTTR) KPI. Ultimately, this translates into an approximated 55 percentage point reduction in breach likelihood with an annual risk reduction savings over $2,425,000 USD.

Step #3: Apply Conservative Assumptions Throughout

Establishing reasonable assumptions is the cornerstone to any sound financial model. Without proper due diligence and rational skepticism applied to base assumptions, ROI projections are doomed to failure, succumbing to the “garbage in, garbage out” principle that renders any final outputs meaningless.

To avoid this fate, a best practice is to err on the side of caution. For instance, you might project the annual security analyst salary will be $150,000 USD per year with all benefits and bonus compensation added in. But rather than using that figure in your model, you apply a lower salary of $115,000 USD to ensure the projected salary savings with your MDR service are easily attainable.

While this cautious approach curtails the upside potential of your net returns, it ensures you can defend any degree of scrutiny into your ROI projections.

Step #4: Add Ancillary Business Benefits

Adding an MDR service comes with many ancillary benefits for your business even beyond the three biggest benefits of increased analyst capacity output, risk reduction savings and platform consolidation. In addition to these wins, your organization is likely to see other tangible and intangible improvements you can incorporate into your business case.

Avoided business disruption and improved cyber insurance rates are two additional benefits to incorporate into your ROI calculations. With the addition of Falcon Complete MDR, you’re likely to see a marked reduction in the number of device infections. As a result, the employees using those devices avoid wasted downtime while your security and IT administrators avoid time spent reimaging and recovering these devices.

Moreover, Falcon Complete MDR provides an inclusive, no-red-tape breach prevention warranty at no additional cost to qualifying customers — we stand strongly behind the services we deliver. And as a result, many customers report receiving improved cyber insurance rates from their provider due to the combination of the warranty and the strong industry recognition of our services. For a 7,000-employee organization, the ROI Calculator for MDR estimates the expected cyber insurance savings to be above $90,000 USD per year.

Step #5: Generate Your Tailored ROI Report in Seconds

Want to skip the time-consuming hassle of building an MDR business case on your own? Try out CrowdStrike’s new, interactive ROI Calculator for MDR. Using this interactive model, you can quickly adjust the ROI projections to reflect the size and parameters of your existing organization and see the expected cost savings. You can also download a PDF report with more detailed cost-benefit analysis specific to your organization’s profile to share with your colleagues.

Additional Resources

Related Content