Explaining infrastructure investments to non-technical stakeholders is an art. Here's how to communicate the value of Azure Application Gateway and WAF in business terms.
What Problem Does It Solve?
Without Application Gateway/WAF:
- Web applications exposed directly to the internet
- No protection against common attacks (SQL injection, XSS)
- Single point of failure for web traffic
- No insight into attack attempts
With Application Gateway/WAF:
- Centralised security inspection for all web traffic
- Automatic blocking of known attack patterns
- High availability and load balancing
- Visibility into threats and traffic patterns
The Risk Equation
Frame it in terms of risk mitigation:
Data Breach Costs
- Average UK data breach: £3.4 million (IBM Cost of a Data Breach 2024)
- Application-level attacks account for 35% of breaches
- WAF blocks 95%+ of common attack patterns
Downtime Costs
- Average cost of IT downtime: £4,500-£5,600 per minute for enterprises
- Application Gateway provides automatic failover
- 99.95% SLA compared to single VM deployments
Compliance Requirements
- PCI DSS requires WAF for card payment applications
- GDPR mandates "appropriate technical measures"
- Cyber Essentials Plus expects perimeter protection
The Investment
Typical costs for a mid-size deployment:
| Component | Monthly Cost |
|---|---|
| Application Gateway WAF_v2 | ~£250-400 |
| Data processing (1TB/month) | ~£50-100 |
| Total | ~£300-500/month |
Compare this to:
- One security consultant day: £800-1,500
- Penetration test: £5,000-15,000
- Incident response retainer: £2,000-5,000/month
- Data breach notification costs: £50,000+
Key Messages for Executives
For the CFO
"We're spending £400/month to reduce our risk of a £3 million data breach by protecting our web applications with the same technology used by Fortune 500 companies."
For the CEO
"This gives us confidence to tell customers and partners that we take security seriously, with enterprise-grade protection for our web presence."
For the Board
"Our cyber insurance premiums may reduce, and we're better positioned for compliance certifications that customers are increasingly requiring."
Concrete Benefits
Security Benefits
- Blocks OWASP Top 10 vulnerabilities automatically
- Protection against bot attacks and scraping
- Rate limiting prevents DDoS attacks
- SSL/TLS termination with modern cipher suites
Operational Benefits
- Centralised SSL certificate management
- Health monitoring of backend servers
- Automatic failover when servers become unhealthy
- Detailed logging for troubleshooting
Business Benefits
- Faster time to market (security built in)
- Reduced security review time for new applications
- Audit evidence for compliance requirements
- Customer confidence through security posture
Visualising the Architecture
Internet
│
▼
┌───────────────┐
│ Azure WAF │ ← Blocks attacks here
│ (App Gateway) │
└───────┬───────┘
│
┌───────┴───────┐
▼ ▼
┌───────┐ ┌───────┐
│ Web │ │ Web │ ← Multiple servers for reliability
│ App 1 │ │ App 2 │
└───────┘ └───────┘
Metrics That Matter
Track these to demonstrate value:
- Blocked attacks per month - Shows active protection
- Availability percentage - Compare before/after
- Mean time to detection - Faster with WAF logs
- Compliance checkboxes - Count satisfied requirements
Common Objections
"We've never been attacked" "That we know of. With WAF logging, we'll actually see what's hitting us. Many organisations are surprised by the volume of automated attacks."
"It's expensive" "It's less than one security consultant day per month, protecting all our web applications 24/7/365."
"Our developers handle security" "WAF is a safety net. Even with secure code, vulnerabilities get discovered after deployment. This provides protection while patches are developed."
Need help building the business case for security investments? Get in touch - we help organisations communicate technical value to stakeholders.