How To Quantify & Assess The Financial Impact of Business Closures on Your Bottom Line

How To Quantify & Assess The Financial Impact of Business Closures on Your Bottom Line

The unfortunate reality for businesses of all sizes right now are spontaneous business closures (or deciding whether now is the time to reopen your business!)

And with COVID-19 outbreaks at your physical locations meaning potential mandatory lockdowns, as well as deciding whether to re-open at all it’s important to know the figures and what it could cost you.

We wanted to share how you can use Boardish to quantify into hard numbers what this means for your business.

  • Is it more cost-effective to keep your physical locations closed rather than adopt new procedures?
  • What is the real ‘solution’ cost of implementations? (including the cost of your expert’s hours and time)
  • What is the sales loss for your business closure?
  • What is the regulation impact for remaining closed? (and does this pose a higher risk to you?)

With Boardish you can compare the cost of a closure to your business and the full solution cost to your turnover so that you can decide which areas of the business are still viable. PLUS make a quick decision with all the numbers once you’ve run your simulations.

Once you’ve input your company information you can run several simulations on different scenarios so you can see the full picture quickly, and then use this information to get a fast decision from the board or decision-makers.

Boardish which will give you a snapshot of the information you need on the company right now, and you have complete manual control over the effeciency of your solutions so you don’t have to consider AI learning time, or integration into your systems!

The Boardish Web App is ready to go right now, and you can do all this in the FREE Boardish Basic Tier! 

Take a look at our video above where it runs through the exact process. So you can quantify exactly what you need right now! 

Quantify business closures

And which solutions are cost effective (and which aren’t) 

How to Show IT Budget as a Percentage of Revenue To Communicate To Decision-Makers ​

How to Show IT Budget as a Percentage of Revenue To Communicate To Decision-Makers

IT budget presentation image

Showing IT budget as a percentage of revenue helps show IT and cyber threats and solutions in a business context, and more importantly, in a setting and language of the board level. This makes it easier to understand the value of IT operations and how they benefit or affect the bottom line. 

When the board understands the role of IT operations in the overall revenue stream, it is more likely you will get your IT budget approved. But how can you go about showing the budget like this? 

First you need the right data

IT budget approvals require some cold hard figures for things that are not easily quantified, such as various risks. While the IT department can deal with low, medium, and high risks, these don’t make much sense to the board. 

You will need several sets of data points before you can get financial figures. 

  1. You need to know your risks – these can be determined via a risk assessment
  2. You need to know the solutions – for each risk, you must know which solution you’d like to implement so you can propose it and have it approved 
  3. You need to know the business revenue – knowing revenue figures is necessary so you can create a comparison (before solution is implemented vs. after implementation) 

You also need the right toolkit

With all the risks determined and solutions chosen, you can now use Boardish to help you quantify the threats and risks. With Boardish, you can also put numbers on the cost of the solution and present it as an average IT budget percentage of revenue. 

This way, the board can see that the IT spending is a much smaller chunk than paying the aftermath of a threat that wasn’t covered well. 

It’s a very straightforward process that doesn’t require any type of implementation into your systems or access to your data centres. It works independently – all you do is input the data it needs to give you the figures you’re after. You will need: 

#1 A few details on your company

You’ll need to input things like the name of your company, number of employees, country, currency, and annual turnover rates. 

As for employees, you will give detailed figures based on how much they rely on technology. Finally, you’ll need to give some salary information, including average salary for different categories. 

#2 Input of threats

Add all the threats that you wish to showcase. During IT budget approvals, presenting the impact of threats is what matters most. 

In this step, you will input how high the risk is, how many turnover days and sales you expect, and how it affects employees. 

#3 Solution input

Next, you’ll add the cost of the solution (either as a one-time payment and/or cost per year). You’ll be able to quantify full solution costs including experts at every stage later in the process.  

#4 The threat protection factor 

How successful your solutions are in handling the threats and one of the unique elements to Boardish. Usually, you can get the factor from your initial risk assessment, or your own experience. It’s completely manual in Boardish because somethings, like risk, shouldn’t be left to AI.  You can quantify effectiveness in both the cloud and on-prem. 

#5 Expert cost 

Here you can put in all the costs associated with implementing solutions and dealing with threats. You can put in hourly rates and the number of hours you expect your IT team will need for it. 

#6 Regulation impact for each threat

Finally, you can add the risk of additional fines for breaching important security regulations such as GDPR. 

Boardish will use all of the above data points and turn them into a financial figure that you can present as a percentage of revenue to help get IT budget approvals

Try Boardish for yourself for free up to 3 threats and solutions here: https://app.boardish.io/

Learn more about Boardish: https://www.boardish.io/

Quantify Your IT & Cyber Budget Into Financial Impact Figures

So you can show it as a percentage of revenue. 

Why Small and Medium-Sized Organizations Are Struggling More With IT & Cyber Budgeting Than Enterprises

Why Small and Medium-Sized Organizations Are Struggling More With IT & Cyber Budgeting Than Enterprises

There is a very obvious trend that we see in our BOARDISH ecosystem from speaking with our clients and business partners

Small and Medium-size companies are “struggling” much more during the IT & Cyber budget approval process.

For small & medium size organizations, we see the following recurring feedback during IT & Cyber budgets:

  • The length of the budget approval process is between 3-4 times longer on average than in larger organizations.
  • There is not a clear owner for this process. Sometimes it comes from the CTO, CIO, IT Manager, CISO, and in some cases, the process is pushed from the CFO.
  • The “budget process” is deemed as, and I am quoting “extremely complicated”.

In bigger organizations, we still hear feedback about “complexity” and “Length of process” but in reality, the actual process is much more clear and the length of the process is shorter.

We wanted to find a clear causality for this difference. Initially we thought that larger organizations have more moving parts and more roles so the process must be more complex but in reality the process is structured much better in larger organisations with clear role designation.

We have spoken with many clients and also with our business partners and we are confident that we found that causality.

The most impactful differentiator is the use of “Risk Professionals”.

  • Large organizations are understanding that you can’t budget effectively or get approval from decision-makers without incorporating ‘risk and risk quantification’ into the IT and & Cyber budgeting equation. You need to prove the ‘why’ of solutions and what financial impact on the company you are preventing with these costs.
  • Large organizations have much better ACCESS to Risk Professionals and many even have internal roles including CIRO, or ongoing consultants and consultancy retainers. They also have access to enterprise-level resources and tools to help them with risk, and finding solutions.

But …. what makes Risk Professionals so efficient in the Budgeting process?

Risk Professionals are EXPECTED by the management to be the “Translator between IT & Cyber to Decision Making language”, this is the first CRITICAL step in joining IT & Cyber with the Board so they speak the same language.

It is clear that in most organizations IT & Cyber do not talk the same language as the Decision Makers ( Board & C-suite etc.) and without bridging this gap – the budget process is very messy.

When Risk Professionals are involved in the IT & Cyber budget process we see the following advantages:

  • Much clearer responsibilities are laid out in “who should do what” in the Budget process.
  • Budget requests are combined and presented with the Risk factor of the threats you are trying to mitigate.
  • The entire process becomes less “Messy” because usually, Risk Professionals are very efficient in “structuring” the entire process and manage the process much more efficiently. Many of the Risk Professionals also use Risk Management tools which help even more.

Is “Showing Risk” enough to get quick decision making?

No.

It’s about HOW MUCH money that risk is going to cost the company. That’s what the board and C-suite are basing their decisions on. Risk and money.

Which is why Risk Quantification is a mandatory piece of the puzzle for getting quick budget approvals!

With Boardish we have noticed that Risk Professionals are the most efficient adaptors of the Boardish methodology and application needing barely any ‘onboarding resources.’ They just get it, because they are already battling risk quantification and expected by management to clearly help with decision-making.

So what is our advice for Small and Medium organizations?

Use Risk and quantification in your IT & Cyber Budget process

  • Even a basic 4-5 days of Risk consulting will usually get you the required structure you need to set you on the track to do it yourself.
  • Work with Risk Professionals who are already using Risk Management tools that for you a small organization it will likely be too costly to purchase!

Want to get started yourself?

Here is a diagram we’ve created alongside our business partner 360inControl® for a complete step by step process.

You can also sign up to Boardish Basic (completely free HERE) to introduce you to the terminology, and methodology you’ll need for Risk Quantification and quicker budget approvals.

Eli Migdal – Co-Founder of Boardish

Speed up your IT & Cyber budget process

360inControl® Risk Matrix & Boardish Align For Seamless Remediation to Financial Decision-Making Process

360inControl® Risk Matrix & Boardish Align For Seamless Remediation to Financial Decision-Making Process

For several weeks now, all forms of activities around the world have been severely affected by COVID-19. In this period of inertia, some companies have seized the opportunity to make the most out of it. 

With this in mind, the past few weeks have been busy for us here at Boardish as well as our partners at 360inControl® who have been working behind the scenes to improve our joint offering.  

Whilst Boardish helps quantify risk into financial impact figures for decision-making, 360inControl® is a leading corporate governance risk and compliance management organisation that helps you manage and assess the risk in your business first.  

As partners, we provide the whole step by step process for remediation through to approval, but our partnership has just gotten more exciting!  

360inControl® Are Aligning Standard Risk Matrix With Boardish  

What does this mean for CISOs?  

That’s the exciting part. CISOs can use the full range of 360inControl®’s tenant and then easily transfer their reporting into Boardish to quickly quantify into financial figures independently. 360inControl® now offers default values for Risk Levels, Likelihood, and Impact Magnitude which align with the Boardish methodology and make it easier to assess and quantify risk.  

This unprecedented move has also taken us one step closer to a joint API to provide the ultimate powerhouse of services to CISOs. 

This stands out to help all of our clients and users create a comprehensive inventory of their data, classify it and evaluate the existing risk levels. Covering every aspect of risk awareness and discovery to effective and clear communication with the company’s board. This clears the path for accelerating all forms of approval quickly! 

If you want to read more about 360inControl®’s new risk matrix and how it aligns with Boardish, take a look at their documentation here: https://360incontrol.com/wp-content/uploads/2020/05/360inControl-Default-Risk-Matrix-V-1.41.pdf 

Try Boardish Yourself

Completely free sign up, no payment details required

Vulnerability Assessment Best Practices – How To Be One Step Ahead of Attackers (From Identification To Budget approval)

Vulnerability Assessment Best Practices - How To Be One Step Ahead of Attackers (From Identification To Budget approval)

This post was written by our founder and first appeared on Linkedin here

The classic vulnerability assessment process doesn’t work! It’s just too slow.

By the time you’ve finished your patching and remediation 6 – 12 months have passed and you are again one step behind the bad guys.

I wanted to show you how you can make your vulnerability assessment process work. By being efficient and quick enough!

 
three phases of risk assessment

Phase 1: Streamline Your Processes

  • Identification
  • Analysis
  • Risk Assessment
  • Remediation
In order to be efficient and be quick enough, use technological platforms that streamline the entire process. When the process is clear and has a defined structure and roles, it will go much quicker without the usual delays.

At Boardish, we recommend using our business partners 360inControl® for phase 1 of the process.

Phases 2: Planning Necessary Resources

This is where many companies get it wrong, the vulnerability assessment process MUST include the resources you need to resolve the issues you find. To be able to deliver the remediation part, in most cases you WILL find issues to solve and you must be ready with solutions, as part of your methodology and process.

  • Solutions – Software & Hardware
  • Expert Costs – The People you need to deploy and maintain your solutions
Then QUANTIFY the solutions and expert costs. This is what is currently missing from a lot of processes. It’s not about risk score, that’s no longer good enough. It’s risk quantification!

Phases 3: Taking It To Decision-makers

Once you know which solutions you need and how many human resources are required – you can take the info to your decision-makers and get it approved (and then deployed.)

This is where the Boardish Methodology and algorithm does its magic – our Tool quantifies the information we gather from the vulnerability assessment process into financial figures which the decision-makers can … make quick and efficient decisions with.

To sum it up:

  1. The classic way of doing vulnerability assessment does not work because it’s too slow, too much time from process start to completion to actually be effective and responsive to real threats.
  2. Use technological tools, proven methodologies, and frameworks to make the process clear, efficient and quick.
  3. Quantify into clear financial figures to give your decision-makers all the info they need to make quick decisions.

Thank you,

Eli Migdal – the Founder of Boardish.

Get the best practices in risk assessment

Explain why/how your solutions work, to a non-techy audience. 

Updating Your DR/BCP with Quantifiable Figures For Covid-19 (For FREE With Boardish)

Updating Your DR/BCP with Quantifiable Figures For Covid-19 (For FREE With Boardish)

*Written by co-founder Eli Migdal, and first appeared on his personal Linkedin here

Covid-19 is forcing many companies to re-evaluate their Disaster Recovery (DR) and Business Continuity Plans (BCP).

Previously DR and BCP were mostly focused around natural disasters like earthquakes, floods, and in some cases like my home country of Israel, rocket fires or a state of war.

Until now, the solution for most disaster recovery scenarios was a ‘remote site’ which size was usually dependent by the size and requirements of the company.

I have personally designed and had the unique experience of testing real-life BCP plans that provided a solution for “Rocket Fire/State of War” which required the critical people of the organization to fully work from a remote site and in one scenario even focus the core of business to another country!

But, with Covid-19 it is different, it has several new vectors that need to be updated in your DR / BCP!

  1. Social Distancing – The instruction not to gather groups of people in one location means that “remote sites” is not a viable solution. Regardless of the site location, you can’t go to work.
  2. Global Impact – Most DR scenarios are focused around a region or, worst case, a country. But in this case, the impact is global so not only will shifting your key person to another country not work, but you may also have to adjust your operations across multiple countries at once.
  3. Lack of Preparation – Working from home became one of the only solutions but it also brought up several challenges. Things like poor security, home grade networking equipment not “cutting it”, home grade bandwidth not being sufficient.

So these new risk factors/vectors need to be included in our Disaster Recovery, and Business Continuity Plans. We need to quantify them so we can actually make a decision based on the financial impact they will cause.

Using the free version of Boardish (boardish.io) you are able to quantify the exact metric for each threat, and the impact of that on your business.

For example, using the “Main site is not accessible” threat. What are the questions you should ask yourself when quantifying?

  1. What is the chance of losing market positioning?
  2. How many turnover days will you lose? (and what percentage of the productivity is lost. For example, will you lose 100% turnover or will you have some operations at 60% for example).
  3. And how many workdays are lost for each type of employee? That will depend on those who are highly impacted by technology or not*.

*An important note: a threat like “main site not being accessible” has a very unique characterization to it. The “Low impact users” ( those who are less reliant on technology ) will be affected in higher quantities. For example, your high impact users (high technological reliance) will have a laptop or VPN so the threat impact is ‘low’ but your ‘low impact user’ (low technological reliance) will be impacted more because there is no technological solution for them so they will lose more workdays.

(This is the exact opposite from quantifying the Ransomware threat because the users who are heavily reliant on technology will be impacted the most)

Then select your Solutions, for example below:

Set the efficiency of the solution against the threat, for example below:

Define how many human resources do you need for each Solution:

Define the regulation impact ( usually very low or none in this scenario ) and get your dashboard. Using this info will make it very EASY to quantify your DR / BCP plan and get it approved quickly by decision-makers.

Try Boardish for free here: https://boardish.io/

Best,

Eli Migdal – the Founder of Boardish.

Update your disaster recovery for covid-19

As well as your business continuity plan with actionable financial figures

IT & Cyber Essentials For Working Remotely ​

IT & Cyber Essentials For Working Remotely

*This post is written by our co-founder and originally posted on LinkedIn here

IT & Cyber Essentials For Working Remotely

Allowing remote working is one of the biggest requirements in the IT & cyber world right now.

Our March 2020 Boardish Analytics report (https://boardish.io/monthly-analytical-cyber-reports) shows us that “Immobility” has the highest increase of all threat counts for this month, with an increase of 42%

We decided to share some of the basic essentials to allow remote working in a secure way:

IAM Solutions ( Identity Access Management ):

Mainly when working on Cloud Solutions / SAS – enabling IAM features will make a huge difference between working remotely and working remotely in a secure way.

  • Enable MFA – Multi Form Authentication (if you have done so yet – no excuses – your identity WILL BE HACKED )
  • Use Geographical limitations – enable login only for locations in which you have a “logic” / “need” to work from.
  • Connect DEVICE to a USER – make the connection between the device and the user – when doing this you can even enable some access from BYOD devices if you can verify they have the basic required level of security.

Video Conferencing:

Our March report has also shown us a HUGE spike of 371% in “Video Conferencing” as a solution for most ‘immobility’ threats.

* Note: Before the Coronavirus outbreak – Video Conferencing wasn’t considered a “solution” for IT & Cyber Threats.

Video Conferencing solutions are one of the easiest ways of mitigating the current risk and enable business continuity, both internally and with your clients.

Note: that many of Video Conferencing vendors (Like Microsoft with TEAMS ) are offering free tiers for this Coronavirus period.

VoIP solutions:

Most of the “last-gen” phone solutions support VoIP connections, either via applications or devices, it’s now easier than ever to get you phone extension in any location, including your home if required.

Secure Internet Connection:

This is something that is overlooked in many cases when working from home, in most cases, your home router is just not stable enough nor it is secure enough.

We recommend using business-grade routers for your critical employees that are part of your business continuity program, this will make a huge difference both on the stability of the connection and of course securing the connection from unwanted listeners.

VDI & Terminal Server solutions:

In my professional opinion, this is still of the best ways to allow access to your sensitive programs in a secured and controlled environment, even if you are connecting from a BYOD device.

The ability to isolate specific software for specific users and the combination of VDI solutions with IAM makes it of the best possible remote working solutions.

Even a basic terminal server with a locked-down GPO will provide a much more secure environment than working directly on your BYOD computer and more functionality in some cases than your laptop via remote connection.

Cloud Security:

Cloud solutions like file-sharing platforms and online email platform makes the perfect “work everywhere” solution, the productivity factor is huge.

The same solution requires additional security, mostly to make sure you can differentiate sensitive information from non-sensitive, as well as enforce that only authorized sharing of data will occur,

We see in our Boardish ecosystem that most companies that use Cloud Security combine it with their IAM to achieve user & data visibility and enforcement.

We highly recommend having visibility and the ability to enforce your users ( remote and local) cloud activity.

How can you quantify these solutions ROI? – use the Boardish Methodology, below is a sample dashboard we made.

Immobility is a quantifiable threat.

Quantify it and you’re much likely to get fast approval for solutions. (The free version of Boardish all that you need for this scenario.)

– Eli Migdal – the Founder of Boardish

Quantify Immobility Yourself

Explain why/how your solutions work, to a non-techy audience. 

Cyber Security in 2020 – How To Move Quickly and Efficiently Enough to Keep Up With The Threats

Cyber Security in 2020 - How To Moving Quickly and Efficiently Enough to Keep Up With The Threats

*This post originally appeared on Linkedin here

One of the biggest issues in cyber security is being able to move fast enough to keep up with the speed of emerging threats.

Usually, the bigger your organisation is – the harder it is to move fast.

Here are some best practices from my professional experience:

#1 Identifying a threat:

We need to be CONSTANTLY aware, proactively searching for threats, not waiting for them to happen.

Currently, there are so many data sources, whether it’s groups, blogs, publications or even vendors themselves. So use them. You need to be able to react quickly if you spot a CVE or an exploit that has a high impact on your type of systems.

How to stay ahead:

  1. I recommend reviewing at least several times a week both the blogs/groups and both all official sources for CVE’s. Or even set up alerts when your specific systems or vendors are mentioned etc.
  2. I personally subscribe to most Cyber Security groups and most big vendors that my systems run on. That way I catch the info from the “researcher” aspect and from the vendor directly.
  3. I also recommend reviewing some dark web forums, searching for issues that have a direct impact on your systems. (of course, use caution and stay legal.)

Note: If you come across many blogs on the dark web about an exploit, but there’s no official CVE post … it’s very likely that it means they haven’t caught up yet and you should investigate anyway. Unfortunately, reality shows that you need to “trust” the bad guys more than the vendor on exploits.

#2 Searching for Solutions:

Vendors. Stay connected to vendors that have already proven themselves and constantly search in blogs/forums/ groups for new vendors that can provide the best solution for your biggest threats.

I don’t think I need to expand more on this. I don’t think it’s challenging to find new solutions, the vendors are working hard enough to ‘put it in front of you’ 🙂 And worst case, a quick search should give you what you need.

#3 Testing solutions:

This is one of the most important elements in the ability to “keep up with the threats” and many companies I have seen aren’t allocating sufficient resources to this. Meaning the ‘shopping for solutions and testing’ process is very long.

Of course, it depends on the size of the company but I think that even a mid-sized company should have 25% of the System Administrator role focused on seeing if solutions meet SPECIFIC threats in YOUR environment. The quicker you can get through this, the quicker you can move onto the next step.

How to stay ahead:

  1. Have a “ready to test” lab that you can test threats in a sandbox environment that is the maximum level of similarity to your production system. All of course in a fully isolated network and systems with best practices.
  2. Always do a POC (proof of concept) before rolling out, even on a small scale. The truth is, some vendors “oversell” and some solutions are amazing but just don’t work well on your specific environment.

#4 Build a deployment plan:

After a positive POC, you need to get all of your “players” together and build a specific plan including:

  • IT (Infrastructure & Networking)
  • Cyber Security
  • Compliance

Doing this is far quicker than trying to do it on your own! Let the experts share their expertise.

How to stay ahead:

  1. Quantify how much time and resources you will need to deploy the solution. The impact on production it will have as well as the regulation or compliance issues there could potentially be.
  2. Understand exactly how many work hours it will require from each team to be able to move forward quickly, both one time install and ongoing maintenance and support. This saves nasty surprises with budgeting and also management.
  3. Consider if it’s worth outsourcing cyber security to an external company if you have a lack of IT and cyber labour resources inside the company.

#5 Quantifying Threats & Solutions into Financial impact figures:

You know your threat. You know your proposed solution. You know the professional labour required to make it happen.

Now you need to translate this to the language that your Board / decision-makers will understand quickly (most important will be able to make a quick decision.)

You need to be able to show:

  • Total threat cost – what is the full, actual “cost” of the threat?
  • A breakdown of the threat cost by different vectors like the Market Loss, Regulation Loss, Sales Loss, and Salary loss
  • Your TOTAL solution cost ( Solution cost (one time and yearly) + implementation labour costs + ongoing support labour costs)

How to stay ahead:

  1. Boardish simplifies this process immensely by translating all of this information into a “ready to use” dashboard for your board/decision-makers, allowing them to make a QUICK decision.

Dashboard

 

#6 Presenting your request to the Board / Decision-makers:

I have seen, in my experience, how companies HAVE EVERYTHING READY and could be waiting 6 months for the board/decision-makers to approve their proposal… and during those 6 months a breach/hack will happen ( I’ve seen it many times). And the cycle just repeats.

In 2020 we really don’t have the prerogative to “wait” – the bad guys are not waiting – neither can we.

So how do we stay ahead?

This is the Easiest part!!!

  1. Present the information in their way of thinking – in mitigation, financial impact, and business terms.
  2. Show ACTUAL figures. Quantify the costs of the risk, quantify the impact. That will help them make the decision faster.
  3. Be prepared to run simulations and adjustments for different scenarios, filtering by the information the board wants to see.

If you follow the above, you’ll see that in most cases (especially in 2019-2020) the board will understand the need to act. And will do it quickly.

Don’t forget Boardish is moving from BETA to Production so sign up for before the 27th Jan to get 6 months of premium features for free!

Eli Migdal – Founder of Boardish

Become more responsive!

Use Boardish in your threat approval process today… 

Why Is There a Disconnect Between IT Professionals and the Board?

Why Is There a Disconnect Between IT Professionals and the Board?

Disconnect between IT Professionals and the Board

At the core of the disconnect between IT professionals and the board is a difference in language. On the cyber and IT side, discourse centres on security, regulations, and innovation. From the board, there’s more of an emphasis on finance, metrics, and business performance.

Ultimately, both sides are interested in mitigating risk. The IT side is more focused on threats from malware, ransomware, and data breaches, while the board is primarily concerned with risks to the core business, its ability to continue trading, and shareholders.

At face value, having a universal interest in minimising risk should facilitate mutual understanding. However, in practice, both parties can find difficulty in understanding the other’s perspective. For example, if an IT manager asks the board to approve new software designed to reduce the risk of a ransomware attack, the board might not be able to immediately visualise the risk to the company.

While they understand that there is a risk, its relation to other risks faced by the business is not clear – there are various degrees of risk in different situations. It’s on the IT department, therefore, to present their request in a way that’s unambiguous for the board. 

C-Suite Macro Focus

The board tends to take a macro view; that is, a broader perspective of the company. It’s main focal points are:

Finance

The board must manage a delicate financial balance at all times. Budget requests that make sense to an IT manager might not fit in with the financial planning of the board, unless they are provided with solid context. 

Remember that the board is responsible for the financial health of the entire company, so they might not be able to immediately visualise the rationale of a request in the same way as an IT manager with intricate knowledge of why it matters. 

Company Performance and Metrics

The board has a broad perspective of the company. In order to help executives understand whether or not whole-company performance is on track and objectives are being met, it must use standardised metrics. 

Unfortunately, metrics don’t always provide nuanced explanation. For example, a company’s IT department is likely to have a higher budget than other departments. Comparing these departments on one single metric might place the IT department as a risk in itself, as it’s not as efficient as other parts of the company. However, this metric doesn’t take into account the high costs of purchasing, maintaining, and updating equipment and software. It’s why context matters, and the responsibility for providing it falls to department managers. 

Shareholders

The board is ultimately responsible to the owners of the company. Depending on the size of the organisation, this might be anything from a single investor to thousands of shareholders. 

Every decision made by the board is accountable. Any decision that negatively impacts the company will need to be justified. That’s why the board performs thorough analysis of every request, to ensure that financial decisions are sound. 

What Does Risk Mean to the Board?

Risk is primarily a financial variable from the board’s perspective. A company cannot operate if it lacks financial viability, which is why numbers are so important to the board. Therefore, budget requests from an IT manager should centre financial risk to the company if action isn’t taken, alongside relevant context that’s specific to the department.

IT & Cyber Micro Focus

IT departments take a micro approach; that is, a detailed interest in cyber-specific matters, including:

Technological Threats

It almost goes without saying that an IT department will prioritise technology. It’s a broad concept, and in the modern workplace, cyber professionals will take a keen interest in preventing data breaches and malware attacks. 

It’s by no means a simple task. IT specialists must be one step ahead of potential threats, and taking protective action may be expensive. IT managers don’t make budget requests to the board frivolously; there’s always a reason behind an upgrade. However, this might not be immediately obvious to the board, so it’s imperative to express the risk in terms that are financially focused. 

Regulations

IT departments must comply with all pertinent local and international rules, regulations, and industry standards. Anyone involved in implementing the EU General Data Protection Regulation (GDPR) in 2018 knows that rolling out new procedures can be costly – both in terms of financial investment and human resources. 

However, the costs of regulatory non-compliance are even greater. In the case of GDPR, a fine of €10 million or 2% of global turnover – whichever is higher – applies to breaches; this rises to €20 million or 4% of global turnover in severe cases. 

Illustrative examples like this can be persuasive when making a request to the board. 

Corrective and Preventive Action

Lessons are learned all the time in business. A change of process needn’t be prompted by a catastrophic mistake – best practice can emerge from a variety of sources.

The important thing is to move quickly in response to new information. Taking prompt corrective and preventive action protects the company from financial risk. This is precisely how it should be presented to the board. 

What Does Risk Mean to the IT Department?

Any threat to the technology or network infrastructure is a risk for the IT department. So too is non-compliance with applicable regulations, which can come with heavy penalties. Finance might not be prominent in the minds of IT managers, but awareness when making budget applications is crucial. 

Bridging the Gap

In the past, IT has been seen as a bottomless pit for investment. This opinion is a consequence of incomplete understanding of risk at the executive level, and one of the reasons behind the disconnect between IT professionals and the board. In turn, misunderstanding stems from risk not being adequately quantified and explained by IT managers. Both sides would benefit, therefore, from better information. CTOs and CISOs are vital to managing this exchange of ideas.

It can be difficult to quantify cyber risk into tangible figures and statistics, especially if the adverse event hasn’t happened yet. Using the best data available to explain both the cost of the upgrade, and the cost if it isn’t approved makes a request more compelling. For example, a budget of £10,000 for an upgrade might seem steep to the board, but if an IT manager explains that the investment will save £500,000 in the long run, approval is far more likely. 

Boardish is a tool that bridges the disconnect between IT professionals and the board. Instead of juggling multiple spreadsheets, the Boardish algorithm quantifies IT risks and solutions from the perspective of financial impact. After entering information about the company, Boardish automatically analyses financial risk and quantifies the mitigating effect of proposed IT solutions. Data is presented in various visual formats, helping the board to make efficient, informed decisions that protect the company from cyber risk. 

Sell Cyber Solutions

Explain why/how your solutions work, to a non-techy audience. 

How to Make Sure the Board Understands Your IT Budget Proposal?

How to Make Sure the Board Understands Your IT Budget Proposal?

Board Understands Your IT Budget Proposal

The IT budget proposal process is difficult, and it often seems that the board and IT just don’t speak the same language. 

While you are explaining how encryption tools helps reduce risk and control access to sensitive data effectively. The board doesn’t seem to be that enthusiastic about implementing the new solution because it would cost more than the current one. 

How Can You Help the Board Understand Your IT Budget Proposal? 

By speaking their language, of course. 

When presenting your budget to the board, you must speak in terms they understand – how your IT budget proposal contributes to achieving the company mission. 

This means leaving out all the technical terms and complex technological concepts, and instead focusing on how your proposed solution will achieve their long-term goals faster and more efficiently. 

Everything during your presentation – from the current overview to detected issues and proposed solutions – should be presented in terms of how it’s affecting the company, not just IT. 

If the board can see the benefits clearly – be it in increased revenue, better efficiency, or lower risk – you’ll have a much easier time with getting your budget approved. 

Quantify The Risks The IT Budget Mitigates

For your IT budget proposal to be successful, you must give actual figures and quantify exactly what you need and why.  

Starting with your current security posture. Present the identified issues, bottlenecks, and risks, but do not simply say they exist or could happen. 

Present how likely risks are to happen, how bottlenecks are affecting the efficiency and revenue, how issues are affecting the customer experience—show real numbers and how much money is lost. 

After that, you should present your solutions in terms of in-depth costs of implementation vs. cost of leaving things as they are. 

For example: 

With the growing cybersecurity threats, security and privacy are a pressing concern for many CISOs. Instead of saying the company would face a negative impact from a data breach, be specific. 

The possible damages to the company should be presented in terms of revenue losses, market loss, fines, employee impact, loss of reputation, to name a few; otherwise, the board will assume that you will just lose data. 

By being specific, you can show just how expensive it is to stand still in terms of IT upgrades and how extensive the consequences can be.  

Presentation Matters 

Try making the presentation interactive; run possible scenarios and showcase their impact. Provide visualizations that are easy to see and digest! This will stop decision makers from switching off. 

Tools like Boardish can help you present real numbers, as you can quickly add possible risks and solutions and see how these translate to the company’s bottom line with interactive graphs and charts.

Bridge the Communication Gap

The hardest part of IT budget approval is making sure you and the board speak the same language. Use language they understand. Take their background into account when presenting your case, and explain in terms they use daily. Give them the figures to make an accurate and responsive decision based on actual financial impact, and you’ll have a much easier time getting your IT budget approved.  

 

Sell Cyber Solutions

Explain why/how your solutions work, to a non-techy audience.