Thought Leadership

How to Create a Business Case for Security Software

March 18, 2019


Making the decision to invest in software is no small feat, and most requests for implementing a software solution are usually met with resistance and the dreaded, “we don’t have budget for that.”

Here at Resolver, we understand how challenging it can be to get approval for software that the leadership team might not see as critical to business performance. But, when it comes to Incident and Investigations Management, can you really afford not to?

The challenges that brought you here today are unfortunately, very common. Though corporate security teams are tasked with ensuring that the locations, people, and assets associated with the organization are kept safe, secure, and protected, they usually receive minimal budget to get it done. This is further complicated when these teams look to executives or leadership team to support them in their initiatives, especially when the ask is for software. Every business is inundated with priorities and burning issues at every corner. So, how do you ensure that your organization move forward with the solution that will help you do your job more effectively and better protect the organization? You make a crystal-clear business case.

Though the approach outlined in this guide is more specific to building a business case for software, the approach and tools provided can also be used to make a case for most security investments beyond software.

Ask the Tough Questions and Paint the Picture

First, you have to be able to answer these simple questions:

  • What are you currently not doing?
    • Ex: We are currently not tracking incidents in an effective and repeatable way, leading to more incidents with potential
  • What could you be doing?
    • Ex: Keeping track of all incidents in a clear manner so that we can analyze trends and activate controls and safeguards in areas that are proven to be high

These questions will provide you with the basis for your business case. When it comes to Incident and Investigations Management software, it’s helpful if you can provide a full picture of what the organization is doing, which most of the time is highlighting the areas that it is missing. If you’re currently unable to capture all of the incidents that take place, highlight that. Make sure to clearly identify the risk involved in those gaps.

For example, we have seen users double the number of incidents that get reported when moving from Excel or manual incident reporting to an online tool. That doesn’t mean that they didn’t exist before, their team just wasn’t capturing them effectively. But, how can you be proactive in reducing the number of incidents and reducing investigation time if you aren’t properly capturing them? Here at Resolver, we help our customers reduce the frequency and severity of negative events that are impacting organizational success.

Build Your Case

Imagine for a second a world where you didn’t rely on Excel to produce, report on and present incident reports. If you didn’t have to chase information, collate spreadsheets, comb through emails and track down documents —what would you do with that extra time? With Resolver, users log in and are able to see exactly what they have to do in simple language with clearly defined fields, giving you access to all of the information you need at the click of a button.

When building the business case for an investment in security, it’s imperative to highlight the opportunities hiding in the missed reporting. Not sure where to start? We’ve developed an ROI calculator to help you think through the sources of value and conduct a rough quantification of the potential return.

Now that you’ve run the numbers, you have more leverage to prove that software is worth the investment. But that still might not be enough. We’ve created a template to help you prepare your business case. Below, you’ll find a step-by-step breakdown of what your business case should consist of, as well as sample information, especially as it relates to Resolver’s Incident and Investigations Management software.

These are the Best Risk & Security Conferences of 2021. Read More

Executive Summary

This section should provide general information on the issues surrounding the business problem and the proposed project or initiative created to address it. Usually, this section is completed after all of the other sections of the business case have been written. This is because the executive summary is exactly that, a summary of the details that are provided in the following sections of the document.

Business Need

This section should briefly describe the business problem that the proposed project will address. This section should not describe how the problem will be addressed, only what the problem is.

For example, use this section to complete an internal needs analysis. “We aren’t accurately capturing all incidents. By not doing this, we could miss something and open ourselves up to potential risk. We are struggling to see the full picture. This software will help us solve these challenges.” Finish it off with this sentence: “We’ll be able to do this {your goal} and see this result {your goal}.”

Anticipated Outcomes

Describe the anticipated outcome if your organization were to move forward with software. It should also include how you expect the software to reduce the net impact to risk and ultimately benefit revenue.


Summarize the approach for how software will address the business problem. This section should also describe how desirable results will be achieved by moving forward with the project.

  • Three reasons why you need this software
  • How you’ll see an improvement
  • Companies like ours {add in company name here} use this software

Organizational Impact

How will this solution modify or affect organizational processes? For example, what does communication look like with the end-user of this software? The key here is to document the pain that your end-user is experiencing and communicate openly and clearly with them about how they’ll benefit from adopting this solution.


Clearly explain why software should be implemented and why it was selected over other alternatives. Where applicable, quantitative support should be provided and the impact of not implementing software should also be stated.

Cost/Benefit Analysis

Many people consider this to be one of the most important parts of a business case. It not only outlines the investment that you’re asking your organization to make, but the tangible, financial benefits of doing so.

This is a great place to use the data that you gathered in the Resolver ROI calculator. Use the data captured to paint the picture of the cost of not investing in Incident and Investigations software.


Your leadership team will appreciate you clearly outlining any associated risks with investing in software. Though risk varies from company to company, here are a few that many people are concerned with, especially when it comes to adopting new technology:

  • Will there be a learning curve?
  • What does the training program look like? How long will it take?
  • How do we ensure that users adopt and use the software?
  • How can we ensure that we get a return on this investment?

When building your business case for software, be clear, be specific and highlight the potential impacts to revenue. Whether that’s in incidents reduced, programs put in place or fines mitigated, your leadership can’t refuse facts that will not only protect their business, but their bottom line.

How Resolver Can Help

Resolver helps our customers become secure and resilient; ready to respond to every threat and opportunity. Our intuitive integrated risk management software for mid to large-sized organizations includes solutions for risk management, corporate security, business resilience, and IT risk. Resolver enables these teams to drive user adoption, share data more effectively, streamline operations and provide more actionable insights throughout the organization.