I need to create a business case for phishing risk and demonstrate true business impact? I need this for a board presentation and any data, information/charts, links, vendors (with tentative costs) will be useful... please share

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Votes: 0
Email me when people reply –


  • If we go by the recent attack trends then more than 90% of the compromise starts with Phishing attacks. For the presentation you can take the example of damages caused within your organization due to a compromise from Phishing attack or find an example from a similar industry. Any example with monetary value should do the trick. This can be followed by highlighting the current security posture of your organization in dealing with such attacks and what additional measures can be taken to prevent the attack. Cost of all the additional controls should be less than the cost of actual compromise. As recommended by few of the colleagues here a Phishing attack simulation and ability to track and record the user behaviour should help to get the stats.
  • A simple phish on leaders before you meeting and presenting results will be an eye opener :-).

  • Include a slide to bring to attention worlds biggest incidents that have occurred in last 2 years due to lack of awareness on phishing and corresponding brand and revenue loss.
    Propose how the entire solution can be built using open source (go phish is one of them) with minimum investment and can be enhanced in-house to meet org specific needs.
    Include a slide on tentative timeline for rollout and asks.
  • You can simulate the Phishing exercise and present the statistics to the management. I think that statistic along with the list of internal threats due to Human behavior shall do the trick.

  • Research and use stats related to recent data breaches related to phishing in your industry and globally. Phishing is still the predominant method compared to sophisticated attacks.
    Another effective way to build a usecase would be to conduct a phishing simulation within your organisation (target everybody that has capability to send and receive email outside the company). The results will talk for themselves to ensure right investments are supported around strengthening user awareness, procedural and technical controls. Phishing simulation is a very inexpensive way to build a strong usecase
    In case you do not have strong detection then it is likely that your org may already have witnessed a phishing attack/data loss. A compromise assessment will establish it and provide a very strong and dirty usecase to channel the right investments
This reply was deleted.