How to Make the Business Case for an AD Security Audit (Without Technical Jargon)
In five years of auditing Active Directory environments at regulated organizations, I've seen the same pattern repeat.
The CISO has the right technical argument. They lose the budget discussion anyway.
The problem is not the argument. It's the language.
When the security lead walks into the boardroom with technical terms that no one else understands, the meeting ends the same way every time: "not this year," "show us the ROI," "we'll revisit it in the next budget cycle." The board is not voting against security. It is voting against what it does not understand.
What I have learned auditing financial institutions, insurers, and energy companies across Europe is that the board does not need to understand the attack. It needs to understand three things: the regulatory obligation that already exists, the cost differential between acting now versus later, and the reputational exposure that never appears in a technical report until it is already too late.
The CISO who speaks technical loses. The one who speaks the board's language wins.
Argument 1: The Regulatory Obligation ("This Is Not Optional Spend — It Is a Legal Requirement")
This is the most powerful argument with any board of a regulated organization, and the one that is most consistently misused.
DORA — Regulation (EU) 2022/2554 on digital operational resilience for the financial sector — entered into force on 17 January 2025. Since that date, banks, insurers, asset managers, and payment institutions have concrete, enforceable obligations. Article 9 requires verified technical controls over identity and access management. Article 13 obliges significant entities to conduct threat-led resilience testing — including technical testing of the organization's identity infrastructure. Your national competent authority is not asking whether you have a policy covering this. It is asking when you last technically verified it.
For entities that fall under NIS2 Article 21, the framing is the same: security of network and information systems must be actively managed and demonstrably maintained. Fines for serious failures in cybersecurity risk management reach up to €10 million or 2% of global annual turnover, whichever is higher.
ISO 27001:2022 control A.8.8 — management of technical vulnerabilities — requires periodic technical verification of the systems that hold your most sensitive assets. The identity directory is the highest-value target in any organization. It is also the least frequently audited.
The correct argument in front of the board is not "we should review our security." It is: "We are not choosing whether to do this. We are choosing whether to do it before our supervisory authority asks for the evidence — or after."
A board that understands regulation understands that argument in thirty seconds.
Argument 2: The Cost Differential ("€5K Now or €3M Later")
The CFO understands costs. The problem is that they usually only see the cost of acting, not the cost of not acting.
A technical audit of an organization's identity directory — conducted correctly, with the compliance report delivered the same day — costs between €5,000 and €15,000 depending on the size of the environment.
The average cost of a data breach in Europe, according to the IBM Cost of Data Breach Report 2024, is $4.88 million. The financial sector sits consistently above that average. The healthcare and energy sectors are not far behind.
On top of that, add regulatory penalties. Under NIS2, a serious failure in cybersecurity risk management can trigger fines of up to 2% of global turnover. Under DORA, supervisory authorities have the power to impose administrative penalties and require remediation at the entity's expense. And that is before accounting for operational disruption, which in a typical European ransomware incident runs between 15 and 30 days.
| Audit now | Breach without audit | |
|---|---|---|
| Direct cost | €5K – €15K | €2M – €5M (EU average) |
| Regulatory penalty | 0 | Up to 2% global turnover |
| Reputation | Managed | Active crisis |
| Operational continuity | Intact | 15–30 day disruption |
The argument is not "we need to spend money on security." It is: "This is not a security expenditure. It is an insurance premium against a loss that could be 200 to 300 times larger."
Few CFOs have a reasonable answer to that framing.
Argument 3: The Evidence Gap ("A Policy Is Not Proof — A Test Is")
This argument is directed at the CEO and the board as a whole, not just the CFO.
DORA and NIS2 do not ask the organization to be invulnerable. They ask it to demonstrate that it knows its exposure and manages it actively. That distinction is critical.
Without a recent technical audit, the answer to "how do you know your identity directory is secure?" is "we assume it is." And "we assume it is" is not a valid answer to your national supervisory authority, to an external ISO auditor, or to a court in a civil liability proceeding following a breach.
External auditors and supervisory teams are becoming significantly more precise in what they request. Documented policies are no longer sufficient on their own. They want dates of the last technical verification, the results of those verifications, and remediation plans with committed closure dates for open findings.
An organization without that documentation is not audited. It is exposed — and additionally, it cannot prove it ever looked.
The argument for the board: "A technical audit is not just about finding problems. It is about having evidence that we looked for them. That evidence has exactly the same value in front of a regulator whether we find something or not."
Argument 4: When, Not If (The Inevitability Argument)
In April 2026, LockBit 5.0 published Cegasa Energía on its dark web portal. A Spanish energy company with over 90 years of history. A 15-day deadline to pay before their data was released.
What did not make the headline is what happened before.
According to the Sophos Active Adversary Report 2025, the median dwell time of an attacker inside a network before executing a ransomware attack is 4 days. Four days moving through the network, escalating privileges, taking control of the organization's identity — without anyone detecting it.
The attackers who compromised Cegasa did not find zero-day vulnerabilities. They used access paths that exist by default in any identity directory that has gone more than five years without a deep technical review. That is not an exceptional case. It is the standard pattern.
The argument for the board is not apocalyptic. It is analytical: "It is not whether we will be attacked. It is when — and whether we will know before it is too late."
Four days is enough time to completely compromise an organization if the identity directory has not been audited. Four days is also enough time to detect and contain an intrusion — if you know where to look.
The Mistake the CISO Makes
The CISO presents the technical risk. The board hears noise.
Not because the board is incompetent. Because technical risk is in a language that is not theirs.
The right question to bring to the board is not "do you know what [attack technique] is?" It is: "Can we demonstrate to our regulator that we know where our most critical vulnerabilities are, and that we have a plan to manage them?"
That is a governance question, not a technology question. And governance is the board's language.
The reframe that works is treating identity directory security for what it is: a business risk with quantifiable regulatory exposure, not an infrastructure problem to delegate to the technical team.
When the CISO makes that language shift, the conversation changes.
A 5-Minute Conversation with the CFO
CFO: "Why do we need this now?"
CISO: "DORA entered into force in January 2025. Our supervisory authority can request evidence of technical testing in our next review. Without it, the risk is not just an incident — it is an open regulatory proceeding."
CFO: "How much does it cost?"
CISO: "The audit costs between €5,000 and €15,000 depending on the size of the environment. An average breach in the financial sector costs €4M–€5M before regulatory penalties. It is an insurance premium."
CFO: "What if we find nothing?"
CISO: "Then we have evidence that we looked. That evidence is equally valid in front of a regulator whether or not we find something."
Three questions. Three answers in business language. No technical jargon. No requirement for the CFO to understand anything about how an identity system works.
If you walk into that conversation prepared, the budget stops being the obstacle.
The First Step
If you want to see the real state of your identity directory before preparing that argument for the board, we can run the assessment in your environment and deliver the compliance report the same day.
An ADscan engineer connects via VPN to your network, runs the analysis live while your team observes, and delivers the report that same day with mapping to the relevant regulatory frameworks — DORA, NIS2, or ISO 27001:2022, as applicable. No agents installed. No changes to your infrastructure. The full process takes one to two hours.
No cost. No commitment. No installation.
Request your free assessment at adscanpro.com/pov
Verified sources:
- IBM Cost of Data Breach Report 2024 — https://www.ibm.com/reports/data-breach (global average $4.88M)
- Sophos Active Adversary Report 2025 — median dwell time 4 days in ransomware cases
- Regulation (EU) 2022/2554 (DORA) — Art. 9 and Art. 13 — in force since January 2025
- Directive (EU) 2022/2555 (NIS2) — Art. 21 and Art. 34 — fines up to €10M or 2% global turnover
- ISO/IEC 27001:2022 — Control A.8.8 (management of technical vulnerabilities)
- LockBit 5.0 / Cegasa Energía — EscudoDigital, April 2026