Why ‘Probability’​ is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

Why 'Probability' is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

cyber probability

Cyber Risk Quantification is becoming more familiar and I’m seeing more SME / Large companies and consultants using Quantification methods for clients. But a lot of them have something in common. They’re working on the Probability & Impact methodology, shown brilliantly in the picture below:

cyber risk probability cartoon

* Picture Credits – The Cyber Security Hub

This illustration is one the best ways to illustrate how probability and impact “go together” but also because it’s so clear. But it also blinds Cyber Professionals from seeing the huge landmine which is “Quantifying Probability”

I believe after working for years on Cyber Risk quantification into Financial figures (from consulting through to the development of Boardish) that for the Cyber Security Realm focusing on Probability is a mistake. Allow me to explain:

  1. Cyber Security Threats are evolving MUCH quicker than any “past knowledge” experience that you can determine the probability factor on. For example, with Ransomware, the attack vector for Ransowmare to ‘get into your organization’ is evolving on a DAILY (and sometimes hourly) basis. On day X your Probability is low because all of your machines are patched, but day Y a new security flaw on a core system means probability soars.
  2. Cyber attacks are constantly on the offensive, it’s not a “statistical game” like with car accident insurance. Instead, there is a clear ‘business model’ for your attackers to gain access to your systems and cause damage. They are ACTIVELY trying all the time. It’s not a question of “if I will be attacked” but “When” AND “are Zero-Day exploits scenario going to be used”
  3. You’ll always be wrong when speaking to management. When asked by your management “what is the probability” of Cyber Attack X to happen, most likely you will get the answer wrong. It’s a “catch 22” question – you can’t really get it correct because you have no control on the variables which are constantly changing.

How should I address Probability in Cyber Risk Quantification?:

  1. Always assume Worst Case Scenario When it comes to probability – that’s the only “not wrong” answer. Your responsibility as a cyber professional is to be able to: Identify, Protect, Detect, Respond and Recover (The Nist Framework) ANYTIME, ANYWHERE
  2. Focus on the Financial size of the threat impact – when the probability of the threat is ALWAYS HIGH.
  3. Focus on the Efficiency of the solution against the threat – when the probability of the threat is ALWAYS HIGH.
This way the responsibility is on your solutions to protect against overall threats, not asking a thousand ‘what ifs’ to find a solution that may not protect you worst case. What is the point?

So, what’s the alternative to working this out? In Boardish we approach from a solution perspective and have the TPF (Threat Protection Factor). You can see that we have threats and Solutions AND the efficiency of the threats against the solutions.

You can have multiple solution combinations against the threat and, most importantly, you control the efficiency. Based on your specific organizational understanding, experience with solutions, and specific environment.

We don’t “Play” the “Probability” game, its always “HIGH” because this is one “not wrong” (there is no right) answer. You can wake up to a Ransomware attack anytime, anywhere, don’t make the mistake of communicating to your management that you can predict the probability, you cant.

The one thing you can predict is how well solutions can protect against worst case. So use this as your benchmark and you’re a lot closer to being right!

How does the Boardish Framework solve this:

  1. Boardish focuses on the full quantification of the THREAT: Market Loss, Work Days Loss, Sales Loss, and Regulation Loss combined with “how quick the company will recover its market position”
  2. We measure the efficiency of the solution in mitigating the threat, AKA – How efficient is the solution against the threat, We do not automate this process, we believe that its different for each organization, and each IT & Cyber Professionals know/can make a decision based on their specific environment
  3. The Boardish Methodology helps you to quantify the Real and complete solution cost ( including IT & Cyber Labour cost )

sales approval process

The Boardish Methodology shows you very clear decision making metric without the “catch 22” of ‘Probability’

Plus, you can try our solution for free yourself without needing integration etc. at www.boardish.io

If you need help, let me know

Eli Migdal – Co-Founder – Boardish.

Don't play the 'probability game', quantify with Boardish

The 8 Steps I Use To Get (Nearly) All of My IT & Cyber Budgets Approved

The 8 Steps I Use To Get (Nearly) All of My IT & Cyber Budgets Approved

*This article was originally published by co-founder Eli Migdal on Linked here

As a Cyber Security consultant, who is also the founder of two IT companies (TowerWatch Tech and Migdal Computing) I usually “get called” when there is a big issue, usually around my area of expertise which Data Classification, Encryption, and DLP. (Disclosure: I’m also the co-founder of Boardish)

So I’ve proposed a lot of IT & Cyber budgets. And the truth is, I pretty much get them all approved.

I rarely fail, and on the rare occasions a budget doesn’t get passed, it’s a matter of the board taking ‘risk ownership’ which is a win in itself and not really a budget approval failure (in my eyes.)

This is not a clickbait article or a way for me to just show off, I want to share the complete steps that get me there every time. My own ‘methodology’.

Step 1 – Gather Initial Information – “Interview the company while they are interviewing you”

  1. What is the Reason / Business Logic / Catalyst for this Cyber Security Project? – Is it regulations? Is it general Intelectual Property protection? Was the company hacked? What is the “drive” to do “something” with Cyber Security?
  2. How does the company make its revenue? – What are they selling? What is its unique proposition? What is their core business? To quote Steve Zelwki from Levi Strauss & Co “We sell Jeans! – how are you going to help me to Jeans?” – Figure it out before you go any further
  3. Who is the owner of this initiative/project? – Is it IT? Is it Cyber? Is it GRC? Is it you?
  4. Does this project have a “Champion” who is Board Level / C-Suite? – To put it more clearly “is this is a Board Level project” that will be pushed from the top down?

Usually, 3 things happen at this phase:

  • Option 1: You get all the info – Great! – best option.
  • Option 2: You get some partial info and they start consulting with you regarding “what do you propose” Great – this is also a good option because it means they want to align themselves and to take it to the next level.
  • Option 3: They start pushing back on the “questions” themselves, this is a GREAT SIGN for you to say ” Thank you, it was a great call/meeting – but I suggest we end it now. Let’s stay in touch and when you are ready to align to this project methodology and the way I work.”

Step 2 – Gather Specific Company Details – “Hi, I am Eli – now let’s talk about you, I want to hear all the details… “

  1. What is the Turnover of the company?
  2. How many employees are there in total?
  3. How many employees are high/medium/low impacted by technology?
  4. What are the average salaries for high/medium/low impact users? (for this you usually don’t need to ask anyone in the company, as you can just google the industry standards use services like glassdoor to assess the averages)
  5. What is the speed of recovery of the company? How many years will it take the company to get back the previous market position following a technological catastrophe? This is a GREAT question to engage all C-Suite and departments with … “how quickly can your company to jump back after the mother of all data breaches”

This data-gathering phase can go more in-depth and I shared my 5-step framework for CISOs starting in a new company here already:

Step 3 – Take The Company’s Risk Assessment Report and Translate it to Financial Figures – The board don’t make decisions with traffic light charts, they make decisions based on money.

  1. NIST, ISF, ISO – No matter what framework you use for risk assessment, you need to translate to “Business Language” aka money money money.
  2. Quantify each threat via the Boardish Methodology: how many workdays Loss, how many Turnover Days Loss, what is the Market Position risk, etc.

Step 4 – Make Sure The Proposed Solutions Include Full Costs (no surprises later)

A common way to create tension between IT/cyber and the board is when they get surprised with solution costs because labour wasn’t included when the proposal was made and approved.

So, I make sure when I create proposed solutions and budgets I’ve included labour. to avoid the scenario where it’s more labour intensive to implement and support a solution than the initial licensing cost?

If you need more help to do this, you can see my article below (Using Boardish – or you can make a spreadsheet and work it out yourself.)

Step 5 – Evaluate What is The Efficiency level of the Current & Proposed Solution Against the Threat – “Are they any good?”

How well do the solutions mitigate the risk that you’re being hired to solve? In MANY cases several solutions attack the same threat, and the same threat from different vectors. Make sure you have the full picture.

Involve the IT & Cyber teams who will have real-life stats, info from the solutions that they’ve used before, and POC on any new products.

I use the TPF approach in the Boardish methodology, and before Boardish I did it manually myself to assess how effective the solutions are against the threats.

Here is an example of a TPF in the Boardish App (Note: it has full manual control so you can set and reset based on new information and knowledge.)

Step 6 – Regulations! – Don’t forget your BEST FRIEND.

 

Regulations are the Best Friend of the CISO and the Cyber Consultant, they “Get you the attention you need from the Board, no ignoring a 4% of the turnover fine”

  1. Almost EVERY company I encountered has GDPR implications. GDPR is a “Board Level Responsibility” so it’s a great “conversation starter with the Board”
  2. If you or your suppliers are somehow connected with Medical information, HIPPA is your best friend, USE IT!

Ok … we have the data gathering section complete, we are good “internally” but are we ready to “attack the board room”?

Not yet … now, you need to get all your team onboard.

Step 7 – GET ALL YOUR TEAM ONBOARD

Make sure your staff, your team, your partners and your managers are fully aware of the “REASON” for this project, before you go into budgets, make sure the REASON is clear to “why we are doing this”.

This helps to reduce resistance to change which can slow or derail your project, and gets everyone excited about the changes because they see how it helps them.

This ties into an article I wrote on my experience of managing up and down the chain of command:

Step 8 – Forget all your “Techy Risks Terms” – Turn the data into business language.

It’s not just quantifying the risk into financials, it’s also terminology and how you frame your budget and proposal.

When approaching the board, focus on:

  1. what is the COST of the Threat?
  2. What is the COST breakdown? (Sales Loss, Salary Loss, Market Loss, Regulation Loss)
  3. What is the complete solution cost overall?
  4. How much financial exposure do they have left after implementing the solutions?

Be ready to run the simulation with different solutions, different efficiency levels, different threat metrics, different costs. Give the info they need LIVE!

This is a Boardish Dashboard that I use to show Boards when pitching budgets.

 

Usually in my experience, if your solutions are mitigating MOST of the risk and the cost of the entire solution is less than 2% of the turnover – YOU WILL GET YOU BUDGET approved.

Here is a 5-minute demo of how I use the Boardish App and Methodology to implement exactly what I talked about above:

Going back to my headline – I very rarely fail with this approach.

In almost all cases, I see that when you communicate your needs in a business language you will get your Budgets.

Do you think I am exaggerating? that I am a bald stuttering overconfident Methodology creator … well, maybe I am but that’s aside … My method works! Try it yourself and see.

Boardish: http://boardish.io/

Sign up here: https://app.boardish.io/

Eli Migdal – Co – Founder – Boardish

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

Why You Need a Human Involved In Risk Decision-Making

Why You Need a Human Involved In Risk Decision-Making

risk decision making

Until there is a whole new level of real AI technology and not pattern-based recognition automation as we know it now, risk decision-making should still always have human involvement.

I got inspired for this article following the David Spark CISO Series Friday evening event on “Hacking Automation”.

During the event, David asked a question, ‘Which element you would never automate’ and both panelists and many others in the chat room said Risk and I wanted to share more on my thoughts on where you can’t automate with AI.

Information on Risk Gathering like penetration testing tools, even risk identification can be automated (or a combination of automation and human) but when it comes to the decision-making on risk, that should always be a human.

A risk assessment can give you scores to consider, but there is no such thing as ‘generic risk’ in cybersecurity, there’s no one-size-fits-all. Every threat has a different impact level for each organization type, industry, and even specific activities in an organization.

I see it with Boardish as well as in consulting. Risk depends on variables in an organization like structure, revenue engines, and even functions like marketing (when you consider market position losses in the calculation) and it’s all interconnected. Cyber threats are a 3D picture (some say 4D) which need different perspectives that automation and AI just cannot give right now.

Which is why a human should have the say on the priority of IT and Cyber risks and make the final decision on what is a higher risk to the organization.

When my partner and I were building the Boardish Methodology, we made a big decision on the ‘decision-making’ and level of control a human has over threat decision-making. Which is why one of our main elements in the methodology is TPF (Threat Protection Factor). This is the efficiency of the solution against the threat.

We knew we could go via the automation route, we can integrate with other tools, take the data, and provide an automated response for “how efficient is the solution against the threat”. E.G – Endpoint Protection is 68% efficient against Malware.

But then we understood that only a skilled professional, that knows:

  • The company inside out
  • Knows how the threats impact His / Her company
  • Knows after real-life testing the real-life efficiency levels of certain solutions

And only with that information can they make an accurate decision on how efficient a solution is for THEM. How much will certain solutions mitigate that company’s threats.

This is also why we separated “On-Prem” and “On-Cloud” and gave them separate TPF input values. We have seen too many scenarios in which a solution can be VERY efficient on-prem but have almost no impact On-Cloud and vice versa.

That’s why when it comes to risk decision-making, we need to give the Cyber Professional FULL CONTROL on the Decision. Of course, we can suggest based on our professional knowledge but it must be a suggestion only so the final word will always be the person who is in charge, who is responsible for the company.

Here is a screenshot of our TPF section in the Boardish wizard, you can see that YOU can decide the efficiency on-prem and on-cloud for each solution against a threat or multiple threats:

Boardish TPF

To try the TPF for yourself, sign up to Boardish completely FREE here: https://app.boardish.io/

Learn more about Boardish here: https://boardish.io/

Eli Midgal, Co-Founder of Boardish

Control Solution Mitigation and Effeciency

To keep the human element in risk decision-making

‘Leading Up & Down The Chain of Command’ As A CISO​

'Leading Up & Down The Chain of Command' As A CISO​

I was listening to the audiobook “Extreme Ownership by Jocko Willink and Leif Babin”, sharing their experience as navy seals commanders and how to transform this experience to the realm of business.

I did not know what to expect from the book, Yes I know that many Cyber Professionals (including yours truly) love to consider themselves as “warriors of cyber”, fighting against the ‘bad guys’ and so many more battle metaphors.

But still, I had no clue to the level or the extent that a specific part of the book resonated with me, with my experience in the cyber managerial realm. One chapter specifically (Leading up and down the chain of command) really stood out and resonated with my experience as a cyber manager.

I was shocked at the level of similarity, and more importantly, the level of clarity and pragmatic approach this book can give cyber professionals to deal with our daily ‘missions.’

CISO’s and other managerial cyber professionals are currently in a challenging position in which they need to ‘lead’ both up and down the chain. They need to manage their teams and they need to also ‘manage’ their management and decision-makers.

So, I wanted to share a real-life experience that I have encountered whilst working as a Cyber Security Consultant to share what ‘managing up and down the chain of command’ means for me.

Background:

I was brought by the Chairman of The Board to an organization that had a strong and capable IT department, but no proper security team at the time. I was acting as a temporary CISO and project owner in a post-data breach situation to build a complete security methodology and team that would work together with the CTO and the IT team.

After several Board Level meetings, it was decided the entire overhaul project would be framed around GDPR compliance. The organization would have GDPR best practices including data encryption, DLP, SOC team, a new DPO role (and much more) as the company was post-breach. I was acting under the ‘command’ of the chairman, the board approved the entire plan and we officially started the project.

Challenges – Phase 1:

Following several planning sessions with the CTO and the IT team leader we understood that the company had a HUGE amount of legacy software and hardware (something I see in many companies – old computers running outdated operating systems, or an ERP system with compatibility issues.)

Newer computers running newer operation systems were a mandatory requirement to run the newest security tools, so the IT department had a huge challenge of upgrading the entire company and get the infrastructure ready for the security tools.

The CTO and the IT Team leader understood the scope of it and said they could do it.

Challenges – Managing down the chain of command:

The replacement of Legacy IT software and hardware started and the entire IT team was working nonstop, and of course, problems started to occur:

  • The upgrade project was taking more time than initially anticipated mostly because several “top-ranking” departments were adding more challenges to the process. E.g ‘not allowing an upgrade to a specific department because they are working on the budget of that quarter and no one can interfere’, or ‘delaying an upgrade of specific software because they did not have time or will to train the new mid-level managers on the newer version’ etc.
  • The IT team were avoided because staff didn’t want their computer and software changed (because who likes change….?)
In a meeting, I had with the team I remember hearing sentences like:
  • The new project is taking so many resources we barely have resources to keep the day-to-day running and this is making our users angry about our service.
  • Before this project we had it stable, we had it calm, people liked us.
  • Before this project, we had no issues with Head of Departments and now we need to “fight” in order to get this project moving.

The IT team started to “hate the project”

I remember stopping and asking the IT team very directly, ‘what is the purpose of this project?’

They hesitated a bit and then replied ‘to get the company GDPR compliant, that annoying regulation/compliance thing.’

And I remember that I thought to myself, this is MY ERROR, I did not communicate the big picture well enough. They were so focused on the micro tasks they were not seeing the big picture, I did not communicate it as I should have.

I sat down with the team and explained to them very clearly that we all knew that the company suffered a data breach. They were lucky and the exposure was minimal but it could have been much worse, so bad it could have ‘killed the company.’ The Chairman of the Board got me in to make sure it will not happen again, this is my clear mandate.

The purpose of the project was to protect the company, to protect all the different departments, to protect the people, to protect their families whose livelihoods depend on the company. It was a real “fight for home”. The true purpose of the project was to protect the company so it will continue to be a home for many years to come.

I also explained that without the IT department being “all in”, we couldn’t get to the next phase of installing the security software, and without it, we will not be achieving a secure company.

As leaders, it’s our job and our responsibility to make sure that every person we are in charge of knows exactly what he/she is doing, and most importantly WHY. It isn’t just to “tick some regulation box”, it’s to secure the company that is a home and livelihood to most of the employees.

It’s all about communication, explaining why we do the things we do.

I also understood that my next task was to ‘manage upwards’ because the same issue was happening with the C-Suite and the heads of departments.

Challenges – Managing up the chain of command:

In the next Board meeting, I came down “hard” on several of the Department heads about them “not allowing” the work of IT.

Their feedback was very similar to the feedback of the IT team and was focused on their specific projects, their budgets, their tight schedules or goals etc. And most of them did not understand how their behavior was actually impacting the project itself. (They honestly didn’t make a connection with how can my “department slow down this entire project? it doesn’t make sense.”)

They knew the big picture, they knew the purpose of the project but they did not fully understand the steps that were required to “get us there” and again I understood it’s my responsibility to communicate clearly WHAT we are doing, and WHY.

So, I sat down the CFO, IT team leader, IT department and showed all the different steps in the checklist of installing ONE new computer. Getting it with all the required software etc. and all of this while keeping the user working on a temporary terminal.

I will never forget what the CFO said…”Wow – you do this WITH EVERY SINGLE USER” and the Team leader said “of course – we need to make sure all works 100% before we hand it over”

I used this opportunity to remind the CFO that all of this, all of this “hassle” is to keep the company secure. The same goal, exactly the same goal I explained to the IT team, the same goal that the Chairman of the Board told us to execute.

and following that, I requested (demanded) several things:

  1. No department will slow down the project no matter what.
  2. If there is a critical need for a “unique” scenario, the CFO will provide an additional budget for additional IT resources so upgraded can be done during nights or weekends.

The Bottom line – no one is too “special” to bypass our timeline. If more time is required – we “Buy it”!

The CFO agreed and during the project, additional budget resources were supplied and an external company was used to help with the new software installation, mostly during weekends, making sure there was zero impact on employees.

The ROI for the CFO was clear, all he needed is the understanding of “what is happening and why”.

In my role as the temporary CISO / Project owner, I needed to constantly make sure that I was ensuring clear communication and expectations between the team I was managing and between my “management”.

All must be aligned to the same goal and it was my responsibility to keep them aligned.

My experience has shown me that if you communicate clearly, make it goal originated, remove ego and be pragmatic, you will get both teams on your side.

The project was a big success and the company itself is a showcase for technological methodologies like “full encryption for non-structured information” and a global SOC team that mitigates most incidents before they have any serious impacts.

Plus, IT and the new Cyber team are working together better than ever. Both being able to get budget requirements from the board by communicating clearly their needs, the main goal, the steps to getting there and most importantly “what is the exact expectations of IT and Cyber from the Board”

Bringing it all together

Ultimately, when a CISO takes responsibility for a project, task, risk, or anything. There needs to be a very clear definition of WHAT THEY ARE RESPONSIBLE FOR and WHAT IS THE END GOAL?

And this needs to happen at board/decision-maker level before approval. Because ultimately, a CISO needs to be able to manage up, down (and sideways) to take ownership of challenges and correct issues as they arise. This can’t be done without very clear and explicit understanding.

In this instance I was able (and was given the authority) to ‘sit down’ members of high management, ‘demand’ from the C-suite because there was clear quantification before I took the project on. I knew exactly what the end goal was and it was my responsibility to communicate effectively to make it happen. But, without this clear ownership, it would have allowed delays, and potentially the abandonment of the project when some resistance was met.

You’ll always get resistance (people hate change even for their own good), but with the right ownership, you can be empowered to forge ahead and lead up and down the chain of command!

Eli Migdal – Co – Founder – Boardish

Help Communicate Up The Command

Explain solutions, exposure, and risk you’re responsible for! 

Imposter Syndrome in Cyber Security – How We Can Turn This Into Our Secret Weapon To Become Technological Leaders

Imposter Syndrome in Cyber Security - How We Can Turn This Into Our Secret Weapon To Become Technological Leaders

*This article was also posted on Linked. 

I created a survey on Linkedin surrounding Imposter Syndrome in Cyber Security, and it looks like a lot of us “suffer” from it, particularly when it comes to the cyber management level. (link to the survey here)

I see this entire “Syndrome” as a very interesting and even CRITICAL part of becoming a cybersecurity professional at the executive level. I believe there is a curve of Confidence in Cyber Security, I aptly call it the “Eli Migdal’s Confidence Curve of Cyber Security Tech Vs Managerial Skills Vs Confidence” (I know – very original name). which if you were to chart it out, would look something like this:

imposter syndrome chart for executives

This chart in my experience works both for the Sys Admin route to CTO / CIO and the more cyber focused route to CISO.

But, it’s all about the timing – when does imposter syndrome start? And how can you catch it to use it to your advantage?

If I break down the chart to explain more about what this looks like in practice, you’d see something like:

 

  1. (Years 2-6) – You are focusing on honing your “Techy Knowledge” and going hands-on as you grow your confidence alongside your tech skills.
  2. (Years 7 – 9) – Your “Techy Knowledge and Skill” peaks and starts to plateau (in tech you will never know everything as it changes so quickly!) During this time your confidence level continues to grow, and your managerial skills grow more as you start to manage more people and teams directly.
  3. (Years 10 -12) – This is where it usually gets “tricky” because your focus turns more to managerial skills and tasks. Your “Techy knowledge” starts to decline because it’s almost impossible to stay completely hands-on in tech and management simultaneously as your team size and responsibilities increase. This is where the first real signs of “imposter syndrome” start to show and your confidence starts declining.
  4. (Years 13-15) – Your Managerial skill increases initially but starts to balance out and does not increase more as your confidence level is declining and you’re not maintaining “Tech Knowledge” levels. This is where you must “fix it” and get the charts rising again.

What is “Imposter Syndrome” in IT & Cyber – How does it feel ?:

It is usually all about your confidence level and self-doubt, usually, the following types of questions start popping into your head:

  • Am I really an expert? Am I really a Cyber Expert or an IT expert?
  • Can I really be responsible for something as big as securing an entire organization?
  • Can I really be responsible for the entire infrastructure and IT system of this organization?
  • Do others see me as an expert? Do they see me as a fraud?
  • If I don’t know something does this mean I don’t deserve to be here?
  • Does the bald look work for me or do I actually miss my hair? (ok maybe that’s just me)

Most likely some or even all of these questions have been through your mind at one point or another…

When it comes to technology, increasing your skillset tends to take time and the change is granular. But, when you’re shifting from techy to managerial or managerial to executive, there’s often a lot of sudden changes. This is usually a ‘sink or swim’ moment for many IT and Cyber professionals looking to become technological leaders. And a big cause of ‘imposter syndrome’ in my experience.

But to be honest, the real question is. If you suffer from imposter syndrome, is it really a ‘bad’ thing?

I think that in the IT & Cyber Realm we NEED to suffer from imposter syndrome, we need to embrace it. Otherwise, we will just be overwhelmed by the speed of how everything is changing.

The truth is, in cyber, everything changes so rapidly that no-one is ever going to know everything no matter how hard you try. Once you embrace the ‘imposter syndrome’ which is often a result of this, you can actually make it your friend and your secret weapon.

(credits to Nir Rothenberg for ‘secret weapon’)

Here are 6 bullet points on how to embrace imposter syndrome and make it work FOR YOU:

  • Understand that you can’t have ‘hands-on’ up-to-date knowledge on everything. In fact, the more you know, the less you actually know.
  • It’s very healthy in IT & Cyber to say “I don’t know – lets research and find out”. Being able to say this is a proper catalyst to constantly learning more and engaging with your peers, researching, and learning TOGETHER.
  • Now, this is a big one. Your ‘worth’ as an executive is not always ‘what you know’. It’s your capability to learn, adapt, and respond to changing landscapes quickly. Experience is the ability to deal with new scenarios and not the amount of knowledge you have (this is a completely different metric of success compared to technological job roles and many people don’t realise this change).

Remember – You are not being benchmarked for your knowledge, in Cyber and most of IT you are being benchmarked on your Skills to deal with challenges.

  • If you want to make it in the Boardroom, try to be a specialist in being a generalist. (Credits to David Varnai on this quote) You can not be a complete expert in “something” when that “something” is ever-changing.
  • There’s a reason that Academia doesn’t really work in Cyber Security at an executive level. Because learning “past methodologies” doesn’t give you the experience to work in the environment at board level or managing a team. It’s the real-life experience that will make you feel more confident. Rather than trying to put theories into practice.
  • Don’t doubt yourself but always challenge yourself. Ask “Did I really do everything I can on this subject? Did I engage with all my colleagues to find the best solution?

So if you ask me: “Eli – are you an expert?”

Usually, my reply is “Yes, I was an expert yesterday … today most likely I am not – let me learn something new and I’ll get back to you”

“Eli – Do you have Imposter Syndrome?”

My answer would be “I had it yesterday but today I learned something new and I am ALLLL GOOOD”

Ok, I have embraced the Imposter Syndrome, what actual steps can I do to increase my confidence in the Technological managerial realm.

  1. Use the Imposter Syndrome – Rather than allowing it to doubt yourself and knock your confidence. Use it as a benchmark to accept something you don’t know and then drive your learning. Remember you can’t know it all, no one can, but imposter syndrome will empower you to do your maximum to learn something new every day. And this, in turn, will make you a much better leader.
  2. Learn to speak in Business! learn about P/L, Assets, Liabilities, Revenue, Expenses, Equity, Net Profit, Net Loss, Profit Margin, Cash Flow, ROI, B2B, B2C, and no, you don’t need to do a PhD in economics. You are in Cyber and IT, find the resources, teach yourself as you did for any other subject in your professional realm.
  3. Engage with your Managerial colleagues, its time to put the “Linux Console” aside for a while and work on your “soft skills”, your “soft skills” are critical in the Technological managerial world. Here’s an article on Soft Skills from Boardish: https://www.boardish.io/are-soft-skills-becoming-more-important-than-tech-for-it-cyber-pros/
  4. After sections 1 & 2 are accomplished move to the next part – Talking in Business Risk. I have learnt that most decisions by C-Suite and Board members are done based on Risk Analysis and in most cases its financial risk. I wrote an article on the subject:

https://www.boardish.io/the-5-step-framework-for-cisos-starting-in-a-new-company/

I created the Boardish Methodology initially to help me swim in this deep water. To be able to get decisions from the C-Suite and Board and increase my Managerial communication skills. In doing this, it increased my confidence.

In our early years, our confidence grows as our technological abilities grow, the more “issues you fixed” the more confident you become. In the IT & Cyber Managerial realm, your confidence will grow with the number of executive decisions you are able to push through.

Connect your confidence level and benchmarking with decision making and you will see how sometimes your “imposter syndrome” grows but it just makes you feel better, stronger, and more capable!

Eli Migdal – Co-Founder of Boardish

Build your confidence and talk in business risk with Boardish...

How to Quantify The ACTUAL Cyber Solution Cost For Your IT & Cyber Budget

How to Quantify The ACTUAL Cyber Solution Cost For Your IT & Cyber Budget

In many cases, the pricing of cyber security solutions is not clear in the budget, or even worse, it is not an accurate representation of the real cost to the business! Which usually makes your C-Suite (particularly the CFO) extremely unhappy.

But it is our job as cyber security professionals to get to the most precise overall yearly cost of each solution.

We must quantify in order to get approval.

In this article, I am going to use the Microsoft E5 package as an example. It’s

  1. $35 per user monthly
  2. $420 Annually per user
  3. And for our example, we will assume the company has 1000 users.

Therefore the Annual cost of Microsoft E5 for 1000 users is: $420,000

But can you really say to your C-Suite that the Microsoft E5 Solution will cost the company only $420,000?

No ! it is not the “REAL” price.

So, what is missing and how do we get to the real/full price?

What is most commonly forgotten is the ‘people power’ for implementing these solutions. So, you need to quantify the hourly rates for both internal employees and external consultants:

  1. Cyber Security Expert (CISO or Equivalent) – mostly for the solution design and architecture.
  2. IT Management Expert – for the IT system design requirements
  3. 3rd Level IT Expert – For Implementation and High-Level Support
  4. 2nd Level IT Expert – Support
  5. 1st Level IT Expert – Support

* Screenshot from the BOARDISH application

With the rates set you’ll need to look at:

  1. How Many Hours annually are required to Design the solution architecture?
  2. How Many Hours annually are required to Deploy the Solution?
  3. How Many hours annually are required to Support the solution in the POC and POV stages?
  4. How Many hours annually are required to Support the solution after moving to production( Day To Day )?

* Screenshot from the BOARDISH application

After you have qualified the initial design cost and ongoing maintenance cost, then, only then you will start to see the real cost of the solution.

Also, it’s important to remember that the amount of “Expert time” depends very much on the ability of your IT & Cyber team and how quickly they can learn. In many cases, the learning time of a new tool can surpass the amount of time to implement it, which can make it even more expensive.

Once you have the solution cost – we highly recommend showing it as part of your Cyber Security ROI (Return on investment), based on our experience it increased the chances of getting your solution cost approved by the C-Suitee by 71%!

In this article below we show you exactly how to do that!

How to show ROI for Cyber Security

Eli Migdal – Co-Founder of Boardish.

Quantify TRUE Solution Costs

Explain why/how your solutions work, to a non-techy audience. 

How Much Should A CISO & Other Cyber Professionals Earn? (aka How to benchmark your Salary?)

How Much Should A CISO & Other Cyber Professionals Earn? (aka How to benchmark your Salary?)

CISO Salary roulette wheel

I got the inspiration for this article after listening to the David Spark podcast (Defense in Depth) which talked about Security Budgets, “We’ll find the Cyber Security budget when we’re breached”.

In this podcast, one of the participants “Yaron Levi” ( the CISO of Blue Cross ) brought up the “Value” element. That you need to understand the value of the company and then you can understand Cyber Budgets.

I fully agree.

But this got me thinking on the big issue of “Value assessment/knowing the value of … ” in Cyber Security. I meet (Well now its mostly Zoom 🙂 ) and hear many Cyber Professionals discussing the vastly different Salary ranges across the industry.

There doesn’t seem to be a clear definition for: “How much a CISO should earn” from either the business side or from Cyber Professionals.

This leads me to the core of the issue.

A lack of ability to assign value, which in my eyes is one of the biggest issues in cyber security.

It’s impacting cyber budgets, cyber salaries, and has everything to do with value rather than money.

Cybersecurity and IT have always been hard to quantify (it’s why I started Boardish in the first place) and this is because the ‘value’ is defined in different ways. As an example, technology value can be seen in:

  1. Facilitating business working/development/growth
  2. PREVENTING cost-impacting events e.g. ransomware, or data breach fines etc.

So what does this mean for CISOs and cyber professionals and getting paid?

The Traditional approach to salaries and consulting have flaws within the realm of Cyber Security:

When going to an interview or a meeting regarding the fees of consulting or the salary you will ask for, you will try to negotiate your pricing based on the following:

  1. Your experience level.
  2. How you perceive the company’s ability to pay.
  3. The market averages for this specific role and sector.
  4. And of course – Your “shrewd negotiator abilities”.

Usually, with those 4 metrics, you will determine your Bottom and Top ranges of salary/price.

This approach is fine, but for Cyber Security it just does not work well enough, for the following reasons:

  1. Your Experience Level – Cyber Security is constantly changing and evolving, your experience level is important but being a specialist in “something” does not mean this “something” will be relevant in 3 months, it’s your learning capabilities and ability to react which is in my eyes more important than your “classic experience”
  2. How you perceive the company’s ability to pay – Yes you can research a bit and know the turnover of the company and in general what the averages salaries are BUT – You don’t know how much value the company puts on Cyber Security, the company can be huge and very profitable but it does not value cybersecurity at all and so, will not hold value in your proposition regardless of what it is.
  3. The Market averages for this specific role and sector – You usually do not have visibility into how complex the system is, what is the Risk Exposure, or how much Financial Risk you will be responsible for. So 2 companies who look EXACTLY the same from the outside may be completely different in the “Risk Levels” that the CISO needs to take under his/her responsibility.
  4. Shrewd negotiator abilities – Always a good thing to have, but without them seeing the value of what you’re offering, it’s not going to be much of a negotiation! 🙂

So how should CISOs and Cyber Pros be approaching this instead?

The key in my experience is looking from the perspective of value to the company and ‘knowing the financial amount (and risk) that you’ll be responsible for.’

Depending on the amount of risk you’ll be responsible for, you can set your acceptable minimum and preferable maximum salary.

CISO’s (and other Cyber Security professionals) must be able to QUANTIFY what they are responsible for. There is a huge difference in the level of responsibilities and mitigation needed between $100M and $10M so the salaries shouldn’t be the same because the VALUE is not the same.

To put this into perspective. If you are interviewed for a position that means you’re responsible for mitigating $100M of Cyber risk to the company – would you consider $60K yearly enough?

How do you Quantify the value of ‘How Much a CISO is worth to the company’?

You need to know 3 main metrics:

  1. The company’s Turnover – this is usually something you can easily research yourself and get a ballpark.
  2. The Total Financial Figure of Cyber Security Risk that you will be responsible for mitigating. (This can also be done via the Boardish Methodology and Boardish Tool I’ll discuss in the next section)
  3. The current remaining exposure, AKA “Total Threat Loss (Minus) how much was mitigated already” = The actual Financial figure you will be responsible for.

How To Use Boardish To Get This Figure

You can use exactly the Boardish Methodology and tool to get this information because it’s similar to budgeting. After completing the wizard you will get on your Dashboard EXACTLY what we discussed!

How the Boardish Methodology works:

After filling the information, your Dashboard will show you a clear connection between the Turnover of the company, the biggest Threat in financial figures, and what is the remaining exposure.

In the screenshot below the biggest threat has a total Threat Loss of 93M (which is twice the yearly turnover of the company which is 75M) with a remaining exposure of 46M.

So when looking at the ‘value’ of the position of CISO for this company, you will be responsible for a Financial Risk figure of 46M in a company with a 75M yearly turnover.

Now that you have the figures – you unleash your “shrewd negotiator abilities”.

Ultimately, when it comes to your value, don’t let the market ‘assume for you’, in fact, don’t assume at all. Quantify!

You can use Boardish Basic to quantify completely free!

Sign Up here: https://app.boardish.io/

Learn more here: https://www.boardish.io/

Eli Migdal – Co-Founder of Boardish.

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

Boardish Glossary: Risk Quantification Terminology

The Boardish Glossary: Risk Quantification Terminology

The risk quantification process is crucial in order to help the board make financial decisions a lot quicker. To help you better understand the process, we compiled a comprehensive list of risk quantification terminology. These terms are divided into three categories: Filter Terminology, Dashboard Terminology, and Boardish Terminology.

Filter Terminology

Regulation Loss – The financial impact to the organisation in the event of being hit by regulation fines as a result of a threat or combination of threats to the organisation.

Sales Loss – The amount of sales lost as a result of a threat or combination of threats to the organisation.

Market Loss – The financial impact of losing market positioning as a result of a threat or combination of threats to the organisation.

Salary Loss – The amount of financial impact to salaries as a result of a threat or combination of threats to the organisation.

Dashboard Terminology

Total Threat Loss – The total risk of financial damage to your company as a result of the threat.

Solution contribution on-prem – How much financial impact the solution has in mitigating the chosen threat on premises.

On-prem exposure – The outstanding financial risk from threats on premise

Solution contribution in-cloud – How much financial impact the solution has in mitigating the chosen threat in the cloud.

In-cloud exposure – The outstanding financial risk from threats in the cloud.

Boardish Terminology

High-Impact Users – Users who are very affected or cannot perform their daily job roles or functions in the event technology in the organisation becomes unavailable.

Medium-Impact Users – Users who are affected and have to adapt their daily job roles or functions in the event technology in the organisation becomes unavailable.

Low-Impact Users – Users who are barely, or not affected in their daily job roles or functions in the event technology in the organisation becomes unavailable.

Relative Rate of Sales – The percentage of sales lost per day during closure or if a risk comes to fruition.

Threat Protection Factor – The performance effectiveness of the solution against the threat.

Download the Boardish Glossary Here

Try Boardish Yourself

Get started understanding risk terminology in your business

What You Need For Career Progression From ‘just’​ a tech person to Technological Management (CISO, CIO, CTO etc.)

What You Need For Career Progression From 'just'​ a tech person to Technological Management (CISO, CIO, CTO etc.)

As someone who was a “techy” for many years, aka “Installed & and Managed Server 2003 with Exchange 2003 (before SP1)” in my early days as a system administrator. So, I know how tricky the transition from ‘tech’ to ‘management’ is.

In Essence, the transition is taking all of your Technical knowledge and using it to implement smarter business decisions based on technical knowledge and not technical decisions based on technical knowledge.

Basically…

Installing and managing “Decisions and Methodology” rather than software and hardware.

When you initially start as a Helpdesk person, Networking Person, or System Administrator etc. your entire focus and terminology are technological. You need to think in “technological” language and provide technological solutions to technological problems.

But, when you climb up the ladder you get more opportunities and responsibilities to interact and ‘troubleshoot’ at an operational level.

This is where many professionals get stuck and struggle to progress in their careers because they don’t adapt their methodology and terminology into ‘business speak.’ They revert to “Technical Solutions for Technical problems”

But I wanted to share 3 ways you can get started transitioning from tech to management that I found useful in career progression.

#1 Research your business (and understand it)

In the same way, you would treat technical learning and research when you’re troubleshooting. Talk with your colleagues, and make sure you know the business you are working in/with:

  • What does the business do?
  • What is the vision of the business?
  • Who is the target audience?
  • What is the USP ( Unique Selling proposition) of the Business – how to do this business differentiate itself?
  • Who are the competitors?
  • What are the biggest challenges the business is facing?
  • What role does technology play in the business function?
  • What technological risks are the biggest right now?
  • How does the business get impacted by these risks?

In Boardish, for example, we also encourage you to look at how many users are impacted by technology and to what degree. We classify them in ‘high, medium, and low’ impact users. Which means the number of employees that will lose significant working capabilities when technology is unavailable ( high reliance on Technology )boardish employees information table

Knowing all of these things is the first step to making meaningful inputs and decisions at management levels and beyond. Particularly if you’re aiming for the CISO position.

#2 – Familiarize yourself with business & risk terminology:

You need to see how technology relates to the business as a function in the macro, rather than the fixes in the ‘micro’ and this means learning and understanding many terms. Particularly if you’re interacting with other departments or decision-makers.

This means stepping outside of the technical and understanding things like:

  • Annual company turnover = The total sales made by a business in a certain period. It’s sometimes referred to as ‘gross revenue’ or ‘income’. This is different from profit, which is a measure of earnings. It’s an important measure of your business’s performance.
  • Market positioning = The competitive advantage of an organization and the ability for your business to influence its customers. Sometimes this is discussed as ‘brand positioning.’

As well as risk terminology (these are taken from our Boardish ecosystem) including:

  1. Market Loss – The number of sales lost as a result of a threat or combination of threats to the organization. 
  2. Sales Loss – The number of sales lost as a result of a threat or combination of threats to the organization. 
  3. Salary Loss – The amount of financial impact on salaries as a result of a threat or combination of threats to the organization
  4. Regulation Loss – The financial impact to the organization in the event of being hit by regulation fines as a result of a threat or combination of threats to the organization. 

#3 – Start evaluating how effective your tech solutions are against threats

You will already know technological risks and threats to the company, e.g. ransomware etc. and you already know your preferred way of protecting against them.

But now it’s time to quantify them for the business.

How effective are your solutions (or combination of solutions) at protecting against these threats? And how much money can you save the business by deploying certain solutions?

Translating tech to business is a key milestone in your career progression that is going to help you get from techy to manager and be more heavily involved at the decision-making level.

Get started by running simulations on Boardish. When you set the TPF (Threat Protection Factor) this is where you find how efficient the solutions are against the threats in financial numbers! Boardish Basic is completely free for you to test and experiment yourself as you get to grips with the new terminology and knowledge and make the steps towards speaking the language of the business.immobility TPF

Sign up to Boardish here: https://app.boardish.io/login

Learn more about Boardish: https://www.boardish.io/

Eli Migdal – Co-Founder of Boardish.

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

What To Do When Your IT & Cyber Risk Assessment Priorities Don’t Align With Another Department (A Case Study)​

What To Do When Your IT & Cyber Risk Assessment Priorities Don't Align With Another Department (A Case Study)

Doing a Risk Assessment process is one the critical things that we as Cyber Security professionals, need to do in order to gain much-needed visibility into the business.

The initial purpose is usually to map the biggest threats IT & Cyber in the company and build a plan on how to mitigate them.

But what do you do when the Risk Assessment does not align with another department?

Sometimes IT & Cyber’s highest priority can be lower than the priority of another department.

(Something that we don’t always want to hear as cyber professionals!)

I want to share an experience from our BOARDISH ecosystem in which a CISO and a Risk Consultant found themselves in exactly this scenario and were able to resolve it quickly and effectively:

Background Info:

  • Large scale, international eyewear manufacturer.
  • More than 50% of the sales are done online via Ecommerce sites
  • Large database of globally located customer information which includes:
  • Relatively high (when compared to other competitors ) Cost of Customer Acquisition (CAC)
  • The company did NOT have any large scale Data Breaches
  • The company DID have several website downtime incidents

The Challenge – Part 1 :

The CISO and the Risk Consultant have arrived at the conclusion that a Data Breach is the highest-ranking Risk for the company,

The logic for the decision following a NIST based (a more adjusted for European market version) Risk Assessment was:

  • The large database of customers which includes European customers therefore highly impacted by GDPR.
  • High customer acquisition cost (CAC) which makes the customer database very lucrative for competitors.
  • Lack of high-quality cybersecurity tools/infrastructure, specifically a lack of encryption for unstructured information.

The Challange – Part 2:

When presenting the Risk Assessment to the CSuite (the meeting was lead by the CFO and COO) and requesting budget for the mitigation process a hard pushback came from the Marketing & Sales Department regarding the CISO’s Risk Assessment.

Head of Marketing & Sales said very clearly that they dont agree with the CISOs Risk Assestment the “The website suffering from downtime should be the highest priority for IT & Cyber to fix”

The Head of Marketing & Sales were pushing hard that any new budgets should be allocated to increasing the strength of the website, making it more robust to reduce the risk of “downtime” because of the key role it plays in acquiring customers which has a direct impact on sales.

Both CISO and Head of Marketing & Sales used “Risk Scores”, “Risk Priorities” , “Risk Matrix” – everything was discussed in “Risk Language”, each advocating for their own “side”.

The Challange – Part 3 (From the perspective of the Board / CSuite) :

Imagine yourself being in the decision-maker’s shoes:

  • You have your CISO and Risk Consultant advocating for budget allocation for “Data Breach”, being the highest risk and budget should go for protection tools against that threat.
  • You Have your Head of Marketing & Sales advocating that the website being down is the highest risk and all the budget should go to making the site more robust
But Risk Scores, Risk Priorities, and Risk Matrix are all subjective! When you measure the risk of a website downtime to marketing it’s a high risk to their function, but is it high to the company? Does a high risk of data breach really impact the company in the industry they operate in and is that impact higher than the website being down?

These are all questions that couldn’t be answered with the data given, so the CFO requested a more detailed report from both parties because making an educated, smart decision in that phase was near impossible.

So, what does this look like?

The Solution:

The CISO understood that it isn’t the smart move to start “arguing” with the Head of Marketing & Sales and the smart and professional move is to sit down with him and understand his entire Risk Assessment process.

The CISO saw that from Marketing & Sales perspective the website being down is the “worst-case scenario” but also saw that Marketing & Sales were not really aware of MOST of the risk that the CISO is responsible for.

It was clear that the Risk Assessment results required a Common Denominator, Both decided to Translate their Risk assestment into financial figures. Translating the risk into money.

In order for Both Sides to understand which Risk is really the most dangerous for the business they needed to translate Risk into Financial figures ( Risk into Money ). A common denominator that wasn’t subjective.

They used the BOARDISH Methodology to quantify the main threats:

  • Data Breach
  • Website downtime

For Each threat, they inputted together, with full transparency the following information:

  • What is the “Chance of losing the market position” from the specific threat – including reputational loss, branding etc?
  • How many Turnover days will be lost from each threat?
  • How many Workdays will be lost from each threat?
  • What is the regulation impact, financially from each threat?

All the information was fed into the Boardish system with the company information ( like Turnover, number of employees etc.) and the results were crystal clear:

Data Breach had 2.5X the financial impact compared to Website Downtime on the business
  • The main reasons for the high figure were Market Loss and Regulations while “Downtime” only impacted specific Sales, limited branding and reputation and a slight temporary increase in CAC.

The process was done TOGETHER with the Head of Marketing & Sales which later on admitted that he was just not aware of all the risk factors that CISOs are responsible for. As well as the financial impact on the organization.

A Joint Meeting with the CFO and COO was done in which the Boardish information was shown, including “how did we get to those numbers exactly” (they shared the Boardish Wizard).

The Outcome:

The IT & Cyber Budget was approved.

The CFO and COO have requested all the departments to start to quantify Risk when they are requesting Budgets going forward because it’s ‘easier to make a decision.’

The CISO is now working more closely with the remaining departments and have much better visibility into the challenges and furthermore have more solutions to offer the entire company.

To sum up:

Take your Risk Assessment > Quantify the Risk into Money > Achieve a Common Denominator with other departments so you can speak with all your colleagues in the same language > Present to your Board > get a decision.

Remember, you don’t have to work against other departments as a cyber professional! Boardish allows you to quantify your risks so you can clearly see the business importance and let decision-makers make a decision.

If you want to try Boardish for yourself, sign up is completely free here: https://boardish.io/

Eli Migdal – Co Founder of Boardish

Quantify Your Department's Risk

Find The Common Denominator…