Resilience and security can be difficult to define and can mean many things to many people. In general, resilience may be defined as the ability to prepare and plan for, absorb, recover from, and more successfully adapt to actual or potential adverse events. Different aspects of systems resilience and security have been published setting the stage for implementation; however, a clear business case for resilience and security is lacking. Resilience and security require on-going effort and represents more a way of thinking than the application of a specific tool or technique. Within the leadership and senior management of a State Department of Transportation (SDOT) the subject of resilience is especially important, but like communications it is very easy to discuss but very difficult to effectively implement. In an era of shrinking budgets and pressures to reduce headcount each investment of scarce resources must be justified on a return-on-investment basis. Thus, the business case for resilience and must be made. Fortunately, resilience is a process that is entirely scalable and includes both long-range and intermediate planning. It is applied enterprise-wide and within individual business areas. The purpose of this paper is to discuss a process for development of a business case for resilience in infrastructure and continuity of critical function. Risk analysis, identification of resources, and mainstreaming (implementation) techniques are included.