The 8 Steps I Use To Get (Nearly) All of My IT & Cyber Budgets Approved

The 8 Steps I Use To Get (Nearly) All of My IT & Cyber Budgets Approved

*This article was originally published by co-founder Eli Migdal on Linked here

As a Cyber Security consultant, who is also the founder of two IT companies (TowerWatch Tech and Migdal Computing) I usually “get called” when there is a big issue, usually around my area of expertise which Data Classification, Encryption, and DLP. (Disclosure: I’m also the co-founder of Boardish)

So I’ve proposed a lot of IT & Cyber budgets. And the truth is, I pretty much get them all approved.

I rarely fail, and on the rare occasions a budget doesn’t get passed, it’s a matter of the board taking ‘risk ownership’ which is a win in itself and not really a budget approval failure (in my eyes.)

This is not a clickbait article or a way for me to just show off, I want to share the complete steps that get me there every time. My own ‘methodology’.

Step 1 – Gather Initial Information – “Interview the company while they are interviewing you”

  1. What is the Reason / Business Logic / Catalyst for this Cyber Security Project? – Is it regulations? Is it general Intelectual Property protection? Was the company hacked? What is the “drive” to do “something” with Cyber Security?
  2. How does the company make its revenue? – What are they selling? What is its unique proposition? What is their core business? To quote Steve Zelwki from Levi Strauss & Co “We sell Jeans! – how are you going to help me to Jeans?” – Figure it out before you go any further
  3. Who is the owner of this initiative/project? – Is it IT? Is it Cyber? Is it GRC? Is it you?
  4. Does this project have a “Champion” who is Board Level / C-Suite? – To put it more clearly “is this is a Board Level project” that will be pushed from the top down?

Usually, 3 things happen at this phase:

  • Option 1: You get all the info – Great! – best option.
  • Option 2: You get some partial info and they start consulting with you regarding “what do you propose” Great – this is also a good option because it means they want to align themselves and to take it to the next level.
  • Option 3: They start pushing back on the “questions” themselves, this is a GREAT SIGN for you to say ” Thank you, it was a great call/meeting – but I suggest we end it now. Let’s stay in touch and when you are ready to align to this project methodology and the way I work.”

Step 2 – Gather Specific Company Details – “Hi, I am Eli – now let’s talk about you, I want to hear all the details… “

  1. What is the Turnover of the company?
  2. How many employees are there in total?
  3. How many employees are high/medium/low impacted by technology?
  4. What are the average salaries for high/medium/low impact users? (for this you usually don’t need to ask anyone in the company, as you can just google the industry standards use services like glassdoor to assess the averages)
  5. What is the speed of recovery of the company? How many years will it take the company to get back the previous market position following a technological catastrophe? This is a GREAT question to engage all C-Suite and departments with … “how quickly can your company to jump back after the mother of all data breaches”

This data-gathering phase can go more in-depth and I shared my 5-step framework for CISOs starting in a new company here already:

Step 3 – Take The Company’s Risk Assessment Report and Translate it to Financial Figures – The board don’t make decisions with traffic light charts, they make decisions based on money.

  1. NIST, ISF, ISO – No matter what framework you use for risk assessment, you need to translate to “Business Language” aka money money money.
  2. Quantify each threat via the Boardish Methodology: how many workdays Loss, how many Turnover Days Loss, what is the Market Position risk, etc.

Step 4 – Make Sure The Proposed Solutions Include Full Costs (no surprises later)

A common way to create tension between IT/cyber and the board is when they get surprised with solution costs because labour wasn’t included when the proposal was made and approved.

So, I make sure when I create proposed solutions and budgets I’ve included labour. to avoid the scenario where it’s more labour intensive to implement and support a solution than the initial licensing cost?

If you need more help to do this, you can see my article below (Using Boardish – or you can make a spreadsheet and work it out yourself.)

Step 5 – Evaluate What is The Efficiency level of the Current & Proposed Solution Against the Threat – “Are they any good?”

How well do the solutions mitigate the risk that you’re being hired to solve? In MANY cases several solutions attack the same threat, and the same threat from different vectors. Make sure you have the full picture.

Involve the IT & Cyber teams who will have real-life stats, info from the solutions that they’ve used before, and POC on any new products.

I use the TPF approach in the Boardish methodology, and before Boardish I did it manually myself to assess how effective the solutions are against the threats.

Here is an example of a TPF in the Boardish App (Note: it has full manual control so you can set and reset based on new information and knowledge.)

Step 6 – Regulations! – Don’t forget your BEST FRIEND.

 

Regulations are the Best Friend of the CISO and the Cyber Consultant, they “Get you the attention you need from the Board, no ignoring a 4% of the turnover fine”

  1. Almost EVERY company I encountered has GDPR implications. GDPR is a “Board Level Responsibility” so it’s a great “conversation starter with the Board”
  2. If you or your suppliers are somehow connected with Medical information, HIPPA is your best friend, USE IT!

Ok … we have the data gathering section complete, we are good “internally” but are we ready to “attack the board room”?

Not yet … now, you need to get all your team onboard.

Step 7 – GET ALL YOUR TEAM ONBOARD

Make sure your staff, your team, your partners and your managers are fully aware of the “REASON” for this project, before you go into budgets, make sure the REASON is clear to “why we are doing this”.

This helps to reduce resistance to change which can slow or derail your project, and gets everyone excited about the changes because they see how it helps them.

This ties into an article I wrote on my experience of managing up and down the chain of command:

Step 8 – Forget all your “Techy Risks Terms” – Turn the data into business language.

It’s not just quantifying the risk into financials, it’s also terminology and how you frame your budget and proposal.

When approaching the board, focus on:

  1. what is the COST of the Threat?
  2. What is the COST breakdown? (Sales Loss, Salary Loss, Market Loss, Regulation Loss)
  3. What is the complete solution cost overall?
  4. How much financial exposure do they have left after implementing the solutions?

Be ready to run the simulation with different solutions, different efficiency levels, different threat metrics, different costs. Give the info they need LIVE!

This is a Boardish Dashboard that I use to show Boards when pitching budgets.

 

Usually in my experience, if your solutions are mitigating MOST of the risk and the cost of the entire solution is less than 2% of the turnover – YOU WILL GET YOU BUDGET approved.

Here is a 5-minute demo of how I use the Boardish App and Methodology to implement exactly what I talked about above:

Going back to my headline – I very rarely fail with this approach.

In almost all cases, I see that when you communicate your needs in a business language you will get your Budgets.

Do you think I am exaggerating? that I am a bald stuttering overconfident Methodology creator … well, maybe I am but that’s aside … My method works! Try it yourself and see.

Boardish: http://boardish.io/

Sign up here: https://app.boardish.io/

Eli Migdal – Co – Founder – Boardish

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

How to Show IT Budget as a Percentage of Revenue To Communicate To Decision-Makers ​

How to Show IT Budget as a Percentage of Revenue To Communicate To Decision-Makers

IT budget presentation image

Showing IT budget as a percentage of revenue helps show IT and cyber threats and solutions in a business context, and more importantly, in a setting and language of the board level. This makes it easier to understand the value of IT operations and how they benefit or affect the bottom line. 

When the board understands the role of IT operations in the overall revenue stream, it is more likely you will get your IT budget approved. But how can you go about showing the budget like this? 

First you need the right data

IT budget approvals require some cold hard figures for things that are not easily quantified, such as various risks. While the IT department can deal with low, medium, and high risks, these don’t make much sense to the board. 

You will need several sets of data points before you can get financial figures. 

  1. You need to know your risks – these can be determined via a risk assessment
  2. You need to know the solutions – for each risk, you must know which solution you’d like to implement so you can propose it and have it approved 
  3. You need to know the business revenue – knowing revenue figures is necessary so you can create a comparison (before solution is implemented vs. after implementation) 

You also need the right toolkit

With all the risks determined and solutions chosen, you can now use Boardish to help you quantify the threats and risks. With Boardish, you can also put numbers on the cost of the solution and present it as an average IT budget percentage of revenue. 

This way, the board can see that the IT spending is a much smaller chunk than paying the aftermath of a threat that wasn’t covered well. 

It’s a very straightforward process that doesn’t require any type of implementation into your systems or access to your data centres. It works independently – all you do is input the data it needs to give you the figures you’re after. You will need: 

#1 A few details on your company

You’ll need to input things like the name of your company, number of employees, country, currency, and annual turnover rates. 

As for employees, you will give detailed figures based on how much they rely on technology. Finally, you’ll need to give some salary information, including average salary for different categories. 

#2 Input of threats

Add all the threats that you wish to showcase. During IT budget approvals, presenting the impact of threats is what matters most. 

In this step, you will input how high the risk is, how many turnover days and sales you expect, and how it affects employees. 

#3 Solution input

Next, you’ll add the cost of the solution (either as a one-time payment and/or cost per year). You’ll be able to quantify full solution costs including experts at every stage later in the process.  

#4 The threat protection factor 

How successful your solutions are in handling the threats and one of the unique elements to Boardish. Usually, you can get the factor from your initial risk assessment, or your own experience. It’s completely manual in Boardish because somethings, like risk, shouldn’t be left to AI.  You can quantify effectiveness in both the cloud and on-prem. 

#5 Expert cost 

Here you can put in all the costs associated with implementing solutions and dealing with threats. You can put in hourly rates and the number of hours you expect your IT team will need for it. 

#6 Regulation impact for each threat

Finally, you can add the risk of additional fines for breaching important security regulations such as GDPR. 

Boardish will use all of the above data points and turn them into a financial figure that you can present as a percentage of revenue to help get IT budget approvals

Try Boardish for yourself for free up to 3 threats and solutions here: https://app.boardish.io/

Learn more about Boardish: https://www.boardish.io/

Quantify Your IT & Cyber Budget Into Financial Impact Figures

So you can show it as a percentage of revenue. 

‘Leading Up & Down The Chain of Command’ As A CISO​

'Leading Up & Down The Chain of Command' As A CISO​

I was listening to the audiobook “Extreme Ownership by Jocko Willink and Leif Babin”, sharing their experience as navy seals commanders and how to transform this experience to the realm of business.

I did not know what to expect from the book, Yes I know that many Cyber Professionals (including yours truly) love to consider themselves as “warriors of cyber”, fighting against the ‘bad guys’ and so many more battle metaphors.

But still, I had no clue to the level or the extent that a specific part of the book resonated with me, with my experience in the cyber managerial realm. One chapter specifically (Leading up and down the chain of command) really stood out and resonated with my experience as a cyber manager.

I was shocked at the level of similarity, and more importantly, the level of clarity and pragmatic approach this book can give cyber professionals to deal with our daily ‘missions.’

CISO’s and other managerial cyber professionals are currently in a challenging position in which they need to ‘lead’ both up and down the chain. They need to manage their teams and they need to also ‘manage’ their management and decision-makers.

So, I wanted to share a real-life experience that I have encountered whilst working as a Cyber Security Consultant to share what ‘managing up and down the chain of command’ means for me.

Background:

I was brought by the Chairman of The Board to an organization that had a strong and capable IT department, but no proper security team at the time. I was acting as a temporary CISO and project owner in a post-data breach situation to build a complete security methodology and team that would work together with the CTO and the IT team.

After several Board Level meetings, it was decided the entire overhaul project would be framed around GDPR compliance. The organization would have GDPR best practices including data encryption, DLP, SOC team, a new DPO role (and much more) as the company was post-breach. I was acting under the ‘command’ of the chairman, the board approved the entire plan and we officially started the project.

Challenges – Phase 1:

Following several planning sessions with the CTO and the IT team leader we understood that the company had a HUGE amount of legacy software and hardware (something I see in many companies – old computers running outdated operating systems, or an ERP system with compatibility issues.)

Newer computers running newer operation systems were a mandatory requirement to run the newest security tools, so the IT department had a huge challenge of upgrading the entire company and get the infrastructure ready for the security tools.

The CTO and the IT Team leader understood the scope of it and said they could do it.

Challenges – Managing down the chain of command:

The replacement of Legacy IT software and hardware started and the entire IT team was working nonstop, and of course, problems started to occur:

  • The upgrade project was taking more time than initially anticipated mostly because several “top-ranking” departments were adding more challenges to the process. E.g ‘not allowing an upgrade to a specific department because they are working on the budget of that quarter and no one can interfere’, or ‘delaying an upgrade of specific software because they did not have time or will to train the new mid-level managers on the newer version’ etc.
  • The IT team were avoided because staff didn’t want their computer and software changed (because who likes change….?)
In a meeting, I had with the team I remember hearing sentences like:
  • The new project is taking so many resources we barely have resources to keep the day-to-day running and this is making our users angry about our service.
  • Before this project we had it stable, we had it calm, people liked us.
  • Before this project, we had no issues with Head of Departments and now we need to “fight” in order to get this project moving.

The IT team started to “hate the project”

I remember stopping and asking the IT team very directly, ‘what is the purpose of this project?’

They hesitated a bit and then replied ‘to get the company GDPR compliant, that annoying regulation/compliance thing.’

And I remember that I thought to myself, this is MY ERROR, I did not communicate the big picture well enough. They were so focused on the micro tasks they were not seeing the big picture, I did not communicate it as I should have.

I sat down with the team and explained to them very clearly that we all knew that the company suffered a data breach. They were lucky and the exposure was minimal but it could have been much worse, so bad it could have ‘killed the company.’ The Chairman of the Board got me in to make sure it will not happen again, this is my clear mandate.

The purpose of the project was to protect the company, to protect all the different departments, to protect the people, to protect their families whose livelihoods depend on the company. It was a real “fight for home”. The true purpose of the project was to protect the company so it will continue to be a home for many years to come.

I also explained that without the IT department being “all in”, we couldn’t get to the next phase of installing the security software, and without it, we will not be achieving a secure company.

As leaders, it’s our job and our responsibility to make sure that every person we are in charge of knows exactly what he/she is doing, and most importantly WHY. It isn’t just to “tick some regulation box”, it’s to secure the company that is a home and livelihood to most of the employees.

It’s all about communication, explaining why we do the things we do.

I also understood that my next task was to ‘manage upwards’ because the same issue was happening with the C-Suite and the heads of departments.

Challenges – Managing up the chain of command:

In the next Board meeting, I came down “hard” on several of the Department heads about them “not allowing” the work of IT.

Their feedback was very similar to the feedback of the IT team and was focused on their specific projects, their budgets, their tight schedules or goals etc. And most of them did not understand how their behavior was actually impacting the project itself. (They honestly didn’t make a connection with how can my “department slow down this entire project? it doesn’t make sense.”)

They knew the big picture, they knew the purpose of the project but they did not fully understand the steps that were required to “get us there” and again I understood it’s my responsibility to communicate clearly WHAT we are doing, and WHY.

So, I sat down the CFO, IT team leader, IT department and showed all the different steps in the checklist of installing ONE new computer. Getting it with all the required software etc. and all of this while keeping the user working on a temporary terminal.

I will never forget what the CFO said…”Wow – you do this WITH EVERY SINGLE USER” and the Team leader said “of course – we need to make sure all works 100% before we hand it over”

I used this opportunity to remind the CFO that all of this, all of this “hassle” is to keep the company secure. The same goal, exactly the same goal I explained to the IT team, the same goal that the Chairman of the Board told us to execute.

and following that, I requested (demanded) several things:

  1. No department will slow down the project no matter what.
  2. If there is a critical need for a “unique” scenario, the CFO will provide an additional budget for additional IT resources so upgraded can be done during nights or weekends.

The Bottom line – no one is too “special” to bypass our timeline. If more time is required – we “Buy it”!

The CFO agreed and during the project, additional budget resources were supplied and an external company was used to help with the new software installation, mostly during weekends, making sure there was zero impact on employees.

The ROI for the CFO was clear, all he needed is the understanding of “what is happening and why”.

In my role as the temporary CISO / Project owner, I needed to constantly make sure that I was ensuring clear communication and expectations between the team I was managing and between my “management”.

All must be aligned to the same goal and it was my responsibility to keep them aligned.

My experience has shown me that if you communicate clearly, make it goal originated, remove ego and be pragmatic, you will get both teams on your side.

The project was a big success and the company itself is a showcase for technological methodologies like “full encryption for non-structured information” and a global SOC team that mitigates most incidents before they have any serious impacts.

Plus, IT and the new Cyber team are working together better than ever. Both being able to get budget requirements from the board by communicating clearly their needs, the main goal, the steps to getting there and most importantly “what is the exact expectations of IT and Cyber from the Board”

Bringing it all together

Ultimately, when a CISO takes responsibility for a project, task, risk, or anything. There needs to be a very clear definition of WHAT THEY ARE RESPONSIBLE FOR and WHAT IS THE END GOAL?

And this needs to happen at board/decision-maker level before approval. Because ultimately, a CISO needs to be able to manage up, down (and sideways) to take ownership of challenges and correct issues as they arise. This can’t be done without very clear and explicit understanding.

In this instance I was able (and was given the authority) to ‘sit down’ members of high management, ‘demand’ from the C-suite because there was clear quantification before I took the project on. I knew exactly what the end goal was and it was my responsibility to communicate effectively to make it happen. But, without this clear ownership, it would have allowed delays, and potentially the abandonment of the project when some resistance was met.

You’ll always get resistance (people hate change even for their own good), but with the right ownership, you can be empowered to forge ahead and lead up and down the chain of command!

Eli Migdal – Co – Founder – Boardish

Help Communicate Up The Command

Explain solutions, exposure, and risk you’re responsible for! 

How to Quantify Cyber Threats as a CISO in 2020

How to Quantify Cyber Threats as a CISO in 2020

The recently released Internet Organised Crime Threat Assessment (IOCTA) for 2019 by Europol shows that the threat landscape has matured, and key threats have grown in persistence and tenacity. 

The report confirms that destructive ransomware threat remains high. Phishing, spear-phishing, and vulnerable remote desktop protocols have been identified as the primary infection vectors. 

Such a threat landscape requires continuous efforts in the identification of main cyber threats to the organization and how much damage they can do. 

CISOs need to be prepared for 2020 and coordinate their security efforts with the board and their company goals. 

Communicating cyber threats in the board’s language—exact figures and business impact—requires a way to quantify these threats. 

To quantify these cyber threats, CISOs require greater access to the organization’s key financial data and other indicators.   

#1 Identifying the biggest threats and their financial impact on the company 

Identification of the largest cyber threats seems to be the biggest hurdle in presenting cyber risk and exposure, mainly due to the fragmentation of digital solutions in organizations.

According to Deloitte’s Future of Cyber Survey, 41% of CISOs state that Shadow IT presents the most challenging aspect of cybersecurity management in the organization, followed closely by  37% of CISO stating cyber transformation presents a large challenge.

Shadow IT makes it challenging to quantify cyber risk, as there is no overview of all systems. This makes it next to impossible to get a good snapshot of organizational cyber maturity or security posture. 

When the departments integrate digital solutions on their own, there is no alignment of IT with critical business goals. 

How does it relate to quantifying cyber threats? 

The board requires a good overview of the maximum potential threat so they can make the right risk assessments. Getting ShadowIT under control is the primary objective to be able to deliver such assessments. 

Simply saying the largest cyber risk (such as data leakage or breach) will cost the company millions, destroy it, or have far-reaching consequences is not enough anymore. 

How much would the cyber incident cost if left as is? 

How much would your solution cost? 

How much exposure would remain after implementing the solution? 

Would your solution be a sound decision, from a financial standpoint?

Speak in actual numbers that affect the company, not industry averages.

 

#2 Getting access to the company turnover figures

Back in the day, CTOs and sysadmins, as they were called in smaller companies, had nothing to do with turnover figures or any type of financial statements outside of the realm of IT. Times have changed, and nowadays, cybersecurity is an integral part of every company. 

With digital systems running in every department, the CISO requires a full overview of each of them to devise a data and information security strategy that will minimise risk and make the organisation more resilient to threats. 

How does it relate to quantifying cyber threats? 

Nowadays, CISOs must have access to company turnover figures in order to be able to quantify risk in terms that the board will understand. If the board wants to talk about cyber threat risk figures, you must show them how cyber threats will affect the organisation’s turnover. 

The profit/loss reports would give better insight, but these are impossible to get if you’re not in a directorial position. Instead, focus on getting company turnover numbers to build your case.

 

#3 Presenting the impact of technology issues on employees 

To get a clearer picture of how a cybersecurity incident will affect employees, it’s best to separate users as high, medium, and low impact. 

Technology issues won’t affect all users in the company in the same manner. 

Some will experience only mild inconveniences but be able to continue working. 

Some won’t be affected at all.

Some, however, won’t be able to do a single thing until the issue is resolved. 

How does this relate to quantifying cyber threats? 

Quantifying the impact of cyber risk depends heavily on how your operations will take a blow. When you have a clear picture of how dependent your users are on technology, you will be able to calculate the impact. 

If users can’t do their job at all—high impact users—it means their operations are standing still, which makes the risk and its cost greater. 

If users aren’t that affected, the cost will be lower too.

 

#4 Presenting the financial impact of “downtime” on the company’s salaries 

The amount of high, medium, and low impact users determines more than just the extent of the impact. It also shows how much downtime will cost in terms of salaries—how much it will cost the organization that these employees won’t be able to work. 

How does this relate to quantifying cyber threats? 

Even if employees can’t work because of the security incident that needs to be resolved, they will still get their salary for the day. How much will this add to the total cost of the security incident? 

You don’t need exact figures for every possible employee you hire, of course, but having an idea of salary averages will help you determine this cost. 

To get some idea on salary figures, ask the CFO or somebody in the financial department. You might even want to use external resources that can give you averages, such as Glassdoor.

 

#5 Determining the financial impact of “downtime” on the company’s sales 

Most of the time, cybersecurity incidents have the greatest impact on company sales, since the sales processes are heavily dependent on technology. Your e-commerce stores won’t bring you any sales if the servers are under attack or if payment processing is down. 

How does this relate to quantifying cyber threats? 

While sales aren’t your responsibility, the impact of cyber threats on sales falls within your role. CISOs have the responsibility to communicate the impact of cyber threats on sales and present the costs of worst-case scenarios. 

How many turnover days will the company lose in case of threat X? 

Within each turnover days, what percentage of sales will go down the drain? 

What is the chance of losing market positioning in case of threat X?

To provide relevant numbers, you must include the Sales team, and any other team related to sales to give you the required information on how market positioning and sales will be affected in worst-case scenarios.

 

What is the financial impact of IT regulations? 

Information and data are top targets of cyberattacks, and all companies are under strict regulations on how to protect it, no matter what industry you are in. 

Take GDPR as an example—the data protection act lists extremely high fines for companies that do not take necessary measures when it comes to personally identifiable information (PII). 

How does this relate to quantifying cyber threats? 

CISOs must quantify the impact of all regulations pertaining to the company in case of worst-case scenarios. The GDPR, for example, has extremely high fines. Depending on which is greater, the company might face fines of 20 million euros or 4% of its annual revenue in case of a data breach and must be included into the potential financial impact of cyber threats. 

Most companies won’t stand a chance of recovery from such high fines.

 

What is the efficiency of my solutions against the biggest cyber threats? 

After presenting cyber threats that are most likely to affect the company, CISOs must also present the solution. To sell the solution, you must quantify them too—their immediate and annual costs, in comparison to the costs of the threat they are solving. 

In addition, there is also the efficiency factor of the solution—how much of the risk will it mitigate, and how much exposure would remain? 

The efficiency of the solution depends on the threat type and environment. Is it prem? Is it in the cloud? 

There are very few scenarios where a cyber solution will have 100% efficiency so decision-makers need to see the exposure left and weigh up the risk factor themselves. 

How does this relate to quantifying cyber threats? 

The reason why CISOs must quantify cyber threats is to put the costs in perspective when compared to the costs of efficient solutions. 

Solution efficiency and cost help them justify investments that will improve the company’s resilience and overall security posture. 

It is likely that CISOs will have more than one solution to mitigating the biggest threats, with each of them having different efficiency depending on the environment. 

Showing the summed up costs of solutions versus the cost of a security incident without solutions will help the board understand just how much a security incident can set the company back.

 

Conclusion: 

For 2020, CISOs must answer critical business questions clearly and speak in exact figures. They must quantify cyber threats and present solutions in terms of how they help maintain critical business strategy and operations. 

With Boardish – boardish.io – CISOs will have access to a tool that helps them quantify cyber threats quickly, without having to deploy anything on-premise or grant access to their systems. 

CISOs must work together with all departments and get all relevant information to present real threats in real numbers. 

Boardish can help them create a snapshot of their company and help them run scenarios of different threats and their financial and market impact. 

Let 2020 be the year of real numbers!

Quantify Cyber Threats & Solutions

And get your IT budget approved quicker!

How to Quantify The ACTUAL Cyber Solution Cost For Your IT & Cyber Budget

How to Quantify The ACTUAL Cyber Solution Cost For Your IT & Cyber Budget

In many cases, the pricing of cyber security solutions is not clear in the budget, or even worse, it is not an accurate representation of the real cost to the business! Which usually makes your C-Suite (particularly the CFO) extremely unhappy.

But it is our job as cyber security professionals to get to the most precise overall yearly cost of each solution.

We must quantify in order to get approval.

In this article, I am going to use the Microsoft E5 package as an example. It’s

  1. $35 per user monthly
  2. $420 Annually per user
  3. And for our example, we will assume the company has 1000 users.

Therefore the Annual cost of Microsoft E5 for 1000 users is: $420,000

But can you really say to your C-Suite that the Microsoft E5 Solution will cost the company only $420,000?

No ! it is not the “REAL” price.

So, what is missing and how do we get to the real/full price?

What is most commonly forgotten is the ‘people power’ for implementing these solutions. So, you need to quantify the hourly rates for both internal employees and external consultants:

  1. Cyber Security Expert (CISO or Equivalent) – mostly for the solution design and architecture.
  2. IT Management Expert – for the IT system design requirements
  3. 3rd Level IT Expert – For Implementation and High-Level Support
  4. 2nd Level IT Expert – Support
  5. 1st Level IT Expert – Support

* Screenshot from the BOARDISH application

With the rates set you’ll need to look at:

  1. How Many Hours annually are required to Design the solution architecture?
  2. How Many Hours annually are required to Deploy the Solution?
  3. How Many hours annually are required to Support the solution in the POC and POV stages?
  4. How Many hours annually are required to Support the solution after moving to production( Day To Day )?

* Screenshot from the BOARDISH application

After you have qualified the initial design cost and ongoing maintenance cost, then, only then you will start to see the real cost of the solution.

Also, it’s important to remember that the amount of “Expert time” depends very much on the ability of your IT & Cyber team and how quickly they can learn. In many cases, the learning time of a new tool can surpass the amount of time to implement it, which can make it even more expensive.

Once you have the solution cost – we highly recommend showing it as part of your Cyber Security ROI (Return on investment), based on our experience it increased the chances of getting your solution cost approved by the C-Suitee by 71%!

In this article below we show you exactly how to do that!

How to show ROI for Cyber Security

Eli Migdal – Co-Founder of Boardish.

Quantify TRUE Solution Costs

Explain why/how your solutions work, to a non-techy audience. 

What To Do When Your IT & Cyber Risk Assessment Priorities Don’t Align With Another Department (A Case Study)​

What To Do When Your IT & Cyber Risk Assessment Priorities Don't Align With Another Department (A Case Study)

Doing a Risk Assessment process is one the critical things that we as Cyber Security professionals, need to do in order to gain much-needed visibility into the business.

The initial purpose is usually to map the biggest threats IT & Cyber in the company and build a plan on how to mitigate them.

But what do you do when the Risk Assessment does not align with another department?

Sometimes IT & Cyber’s highest priority can be lower than the priority of another department.

(Something that we don’t always want to hear as cyber professionals!)

I want to share an experience from our BOARDISH ecosystem in which a CISO and a Risk Consultant found themselves in exactly this scenario and were able to resolve it quickly and effectively:

Background Info:

  • Large scale, international eyewear manufacturer.
  • More than 50% of the sales are done online via Ecommerce sites
  • Large database of globally located customer information which includes:
  • Relatively high (when compared to other competitors ) Cost of Customer Acquisition (CAC)
  • The company did NOT have any large scale Data Breaches
  • The company DID have several website downtime incidents

The Challenge – Part 1 :

The CISO and the Risk Consultant have arrived at the conclusion that a Data Breach is the highest-ranking Risk for the company,

The logic for the decision following a NIST based (a more adjusted for European market version) Risk Assessment was:

  • The large database of customers which includes European customers therefore highly impacted by GDPR.
  • High customer acquisition cost (CAC) which makes the customer database very lucrative for competitors.
  • Lack of high-quality cybersecurity tools/infrastructure, specifically a lack of encryption for unstructured information.

The Challange – Part 2:

When presenting the Risk Assessment to the CSuite (the meeting was lead by the CFO and COO) and requesting budget for the mitigation process a hard pushback came from the Marketing & Sales Department regarding the CISO’s Risk Assessment.

Head of Marketing & Sales said very clearly that they dont agree with the CISOs Risk Assestment the “The website suffering from downtime should be the highest priority for IT & Cyber to fix”

The Head of Marketing & Sales were pushing hard that any new budgets should be allocated to increasing the strength of the website, making it more robust to reduce the risk of “downtime” because of the key role it plays in acquiring customers which has a direct impact on sales.

Both CISO and Head of Marketing & Sales used “Risk Scores”, “Risk Priorities” , “Risk Matrix” – everything was discussed in “Risk Language”, each advocating for their own “side”.

The Challange – Part 3 (From the perspective of the Board / CSuite) :

Imagine yourself being in the decision-maker’s shoes:

  • You have your CISO and Risk Consultant advocating for budget allocation for “Data Breach”, being the highest risk and budget should go for protection tools against that threat.
  • You Have your Head of Marketing & Sales advocating that the website being down is the highest risk and all the budget should go to making the site more robust
But Risk Scores, Risk Priorities, and Risk Matrix are all subjective! When you measure the risk of a website downtime to marketing it’s a high risk to their function, but is it high to the company? Does a high risk of data breach really impact the company in the industry they operate in and is that impact higher than the website being down?

These are all questions that couldn’t be answered with the data given, so the CFO requested a more detailed report from both parties because making an educated, smart decision in that phase was near impossible.

So, what does this look like?

The Solution:

The CISO understood that it isn’t the smart move to start “arguing” with the Head of Marketing & Sales and the smart and professional move is to sit down with him and understand his entire Risk Assessment process.

The CISO saw that from Marketing & Sales perspective the website being down is the “worst-case scenario” but also saw that Marketing & Sales were not really aware of MOST of the risk that the CISO is responsible for.

It was clear that the Risk Assessment results required a Common Denominator, Both decided to Translate their Risk assestment into financial figures. Translating the risk into money.

In order for Both Sides to understand which Risk is really the most dangerous for the business they needed to translate Risk into Financial figures ( Risk into Money ). A common denominator that wasn’t subjective.

They used the BOARDISH Methodology to quantify the main threats:

  • Data Breach
  • Website downtime

For Each threat, they inputted together, with full transparency the following information:

  • What is the “Chance of losing the market position” from the specific threat – including reputational loss, branding etc?
  • How many Turnover days will be lost from each threat?
  • How many Workdays will be lost from each threat?
  • What is the regulation impact, financially from each threat?

All the information was fed into the Boardish system with the company information ( like Turnover, number of employees etc.) and the results were crystal clear:

Data Breach had 2.5X the financial impact compared to Website Downtime on the business
  • The main reasons for the high figure were Market Loss and Regulations while “Downtime” only impacted specific Sales, limited branding and reputation and a slight temporary increase in CAC.

The process was done TOGETHER with the Head of Marketing & Sales which later on admitted that he was just not aware of all the risk factors that CISOs are responsible for. As well as the financial impact on the organization.

A Joint Meeting with the CFO and COO was done in which the Boardish information was shown, including “how did we get to those numbers exactly” (they shared the Boardish Wizard).

The Outcome:

The IT & Cyber Budget was approved.

The CFO and COO have requested all the departments to start to quantify Risk when they are requesting Budgets going forward because it’s ‘easier to make a decision.’

The CISO is now working more closely with the remaining departments and have much better visibility into the challenges and furthermore have more solutions to offer the entire company.

To sum up:

Take your Risk Assessment > Quantify the Risk into Money > Achieve a Common Denominator with other departments so you can speak with all your colleagues in the same language > Present to your Board > get a decision.

Remember, you don’t have to work against other departments as a cyber professional! Boardish allows you to quantify your risks so you can clearly see the business importance and let decision-makers make a decision.

If you want to try Boardish for yourself, sign up is completely free here: https://boardish.io/

Eli Migdal – Co Founder of Boardish

Quantify Your Department's Risk

Find The Common Denominator…

The 5-Step Framework For CISOs Starting in a New Company (If you want to stay longer than 6-12 months)

The 5-Step Framework For CISOs Starting in a New Company (If you want to stay longer than 6-12 months)

To start with, here’s some background about me and why I consider myself to be in a position to suggest these steps. And as a word of warning, I will do it the “CISO” way, no “background sales noise” but straight forward and to the point:

  1. I’ve been working in IT for over 15 years, 8 of them in Cyber.
  2. I’ve created successful companies and products for both IT and Cyber
  3. I’ve acted as a vCISO, Cyber Consultant, and auditor for over 50 organizations globally. From Micro to Enterprise (From 5 employees to Global Banks) business.
  4. I’m the co-founder and creator of Boardish which is a specific CISO “Risk To Financial figures” tool to help the connection between the CISO and Board.
  5. I listen a lot to David Spark and other amazing professionals in the industry who know their stuff. I don’t think the CISO world starts and ends with me! 🙂

Why does all this matter?

As a vCISO and a consultant I usually need to achieve results very quickly, even in some cases within a month. So I built a methodology to “speed things up” – it’s either you sink or swim in our profession, so these are my 5 recommended steps:

Step 1: Get / Request / Demand ! Clear expectations regarding “Why you are there”

Most of the CISO’s I met tell me that one of the hardest things they encounter is the “lack of clarity” about their role and the expectations from the business.

As a result, it makes authority unclear and it difficult to make any actionable changes. That’s one of the reasons (in my experience) why CISO roles have such a high staff turnover rate.

I suggest that the first step is having a meeting with the C-SUITE and asking them VERY clearly “What are you expecting from me + what are my goals from the perspective of the business”

I have encountered the following scenarios to “why we need a CISO”, I am sure you have encountered MANY others:

  1. Make the company more secure after a breach (usually the most common one for CISO’s)
  2. Protect the company against regulation and compliance fines
  3. We “Need” a CISO “in place” DUE to regulation and compliance – This is often the hardest for a CISO because it doesn’t mean “Anything” regarding goals. You then have to set your own criteria and clarify.
  4. To make a product/software (sometimes its the Product and not the company) more secure ( usually software companies ).

In each scenario, you need to make sure that your success criteria are crystal clear, for example :

  1. Reducing the risk of a Data breach by 50%
  2. Increase our overall security posture by 30%
  3. Reduce our recovery time from a cyber incident by 30%

YES – they are hard to quantify but this is part of our job and I will discuss it in the next steps.

In many cases, you will need to set your own performance criteria because your C-SUITE / Board won’t have any for your role, I always like to use the “For every year we kept the company safe without a major incident I get 10 “Victory Points” and for each major incident minus 30 “Breach points” gamification.

This approach shows decision-makers the “long game” and makes them appreciate every year without a breach, and YES – you need to reach that 3 years mark to be relatively “safe”.

Ultimately, if you don’t quantify – you leave yourself vulnerable as a scapegoat. “The CISO got fired after a single phishing incident” rather than, our CISO has kept our organization incident-free for over 8 years so they are too valuable to get rid of.

Step 2: Get to know all the other risk owners and gain visibility to what they do and how it impacts the business, AKA “Know thy business”

Usually, Step 1 or Step 2 is Risk Assessment, BUT – how can we assess something we do not understand yet?

We need to understand what function or several functions really drive the business, which functions are the main catalyst, is it R&D or Sales or is it Marketing?

You need the see the entire company FLOW, and you may be surprised but the flow will look a bit different depending on whom you ask.

It’s our Job to “attach” all the different pieces or perspectives into one and then link it with the “expectations” section of ” part 1″

This step will also allow you to avoid a common mistake which is not seeing/figuring out who “is really” the department that carries more decision power.

(CISO’s – We have all been there: a great plan, great solutions but … it doesn’t meet EXACTLY what department X wants and so the CEO dismisses it… don’t go there … )

If you are awoken at 2 AM at night and asked” which is the department that you need to “sell” first to get all the rest inline” – you need to be able to answer without thinking – that’s true visibility in the flow of the company.

Step 3: Build a Risk Assessment plan + Attach an OWNER TO EACH RISK

I won’t go deep in the micro of “how to do a risk assessment plan” but here are several important tips:

  1. Get as many people from different departments, power users, or ambassadors and involve them in the process! In most cases they can see risk in places which you still cant (because you are new to the organization).
  2. Use tools – there are some great CISO tools for Risk Assessments which use all the relevant frameworks like NIST, FAIR, and more. USE TECHNOLOGY to streamline the process, I am still a bit confused when I see CISO’s using “Excel”, we are “the Tech Gods!” – the ambassadors of “making tech more efficient for the process” – lead by example and save yourself time and errors.
  3. When assigning risk scores – make sure that most ( it’s not usually all ) of the people involved will agree, or at least won’t argue against your assessment. If you value something as low risk and most of the participants consider it to be high risk, you need to do the deeper due diligence. I usually use Risk Assessment on Risk Assessment, if the Risk is not certain – this is a risk by itself so I “increase it up a level”.
  4. Risk Ownership – Each risk NEEDS to have an owner. In some cases, it’s more obvious like with a DPO or CCO, in other cases you as the CISO will be the risk owner. But something to be aware of is that in my experience other departments will try to “reduce” / “Manipulate” the risk. e.g. “Protecting the website from SQL Injections is not really the Marketing / Sales departments’ issue even though 100% of sales are done via the site” You need to be very assertive in nominating Risk Owners if the people nominated don’t agree with your nomination – then Risk can be transferred.

(I’ll discuss this in the next steps. Hint: it’s either you have skin in the game or you don’t have a say regarding the Budget! )

Step 4: Build a mitigation plan and Quantify it to actual financial numbers! 

 

What is the point of a risk assessment plan if you don’t have a plan to mitigate those risk? In order to mitigate those risks you need MONEY and resources! (People / Tools / Both )

  1. Quantify the Threats! – Translate / Convert / Quantify the Threat from “Risk Scores” to the financial impact. In the above example: SQL Injection is a High probability and High Impact? – Great but what does it really say to the other department heads and C-SUITE? Not a lot. Instead, saying, for example, an SQL Injection has a Threat impact of $50.5 Million on your organization, suddenly they will listen.
  2. Quantify the Solution – How much it will cost? Both the one time purchases, maintenance, human resources required – everything … a proper “total cost”.
  3. Show in MONEY what is the remaining exposure if your proposed plan is implemented.
  4. Show decision-makers your Risk Assessment plan and your mitigation plan – combined, don’t waste their time on Risk Scores – come with decision-making information and plans

I created a tool to do EXACTLY this – www.boardish.io ( last promotion in the article I promise )

Step 5: Negotiate Risk Owner VS the budget for your Mitigation plan

Remember step 1? – you are usually put in the organization to make it more secure, and making it more secure costs money.

Some departments / C-Suites / Boards will push back and say “it’s too much, we are not responsible for this, it needs to come from IT and not from our department and so on”

Yes you need to be cost-efficient but you also need to be very strict with your professional assessment, for example:

  1. You need $250K to fix the biggest issue which is “Data Breach” for the specific company.
  2. Your Board / decision-makers say “No” (it’s too expensive or any other reason)
  3. You say “Ok ” – BUT – when you’ve said “No” you become the owner of that Risk and not me the CISO. So when a data breach will occur its crystal clear that I planned how to mitigate it (you brought me in to do exactly this ) and you said no. You can’t force them to say yes to your proposal, but you can be very clear on risk ownership and that ‘no’ means they own the risk now.

I already hear you saying “BUT – Eli you are not being realistic – they don’t listen to us … and many more excuses.”

Yes – Being a CISO is a VERY HARD JOB, you need to be both professional and to have highly evolved people skills to be able to cope with big changes. A CISO is a much more managerial role than “techy” in my view.

But remember that if you “cave” and accept a “No” and you own the risk – it’s just a matter of time that this risk will happen (Data Breach) and you will be at fault. It’s your risk and you did not fight hard enough to get your budget approved.

CISO’s are in new waters, Deep waters, waters with different tides, and the occasional tsunami, so it’s time to sink or swim. 

Eli Migdal

Follow the framework with Boardish

Quantify into financial impact figures…

Rebuilding Your IT Budget After COVID-19

Rebuilding Your IT Budget After COVID-19

The COVID-19 pandemic shows just how hard it is to prepare for major business disruptions. Nobody expected a global pandemic to throw off so many businesses and many have not properly quantified the risks of being affected long-term in such an event.  

Lots of businesses have had very little time to prepare for the impact, with business continuity plans not including the scenario. Crisis management now revolves around abandoning budgets completely and cutting expenses wherever possible just to try to stay afloat.

Unfortunately, this means that every expenditure and every budget from major functions are being scrutinized, cut down, or removed completely.

Moving away from reacting

This approach is to be expected as businesses have had no other choice but to go for what many would describe as a knee-jerk reaction to COVID-19.

But now, in the middle of the crisis, businesses need to make time to move away from the reactive approach and work on long-term pandemic mitigation strategies if they want to stay viable.

Pivoting quickly is the name of the game and that includes reevaluating expenditures, impact, and short or long-term goals amidst this novel crisis.

Getting the priorities straight

The number one priority is to keep the business viable. For most, this means accelerating the digital transformation, enabling employees to work from home and offering services online.

As an IT and cyber professional, you’ll need a way to show the board the impact the COVID-19 crisis has on business technology, how it affects employees, the impact of downtime, new regulations, and how your solutions can help mitigate negative effects.

You need a way to make it abundantly clear what parts of the IT budget are needed for keeping all essential services and functions and making a move towards digitization and business functions.

For all of this to be justifiable in times when boards have taken a cutthroat stance towards most expenditures, you need to quantify everything single IT expense right now.

Remember, the board is now looking to take away anything they deem unnecessary, so don’t go for any type of “nice to have” things in the IT budget – you need to rebuild the budget according to the current crisis and make a good case for the crucial “staying in business” expenses right now.

Boardish helps you rebuild your IT budget

As a tool that can quantify different cyber and technological events and regulatory changes, Boardish helps you present what really matters to the board right now – solutions that will keep the business running throughout the crisis and which options will mitigate the impact on the business the most.

With most employees staying home, the business will need a robust platform that will enable them to connect from home and work efficiently, but at the same time mitigate any risk of cyberattacks when connecting this way.

Maybe the organization is not ready to implement such a system now, but the alternative – not working for a while – is actually worse than they think, or is it? You can quantify whether it’s better to ‘hibernate’ or ‘push forward’ using financial figures.

With Boardish, you can show the board the impact on the bottom line in case employees can’t work from home at all, versus working from home with different platforms and solutions that can help keep the operations running.

While implementation in the middle of the crisis sounds like something the board would never agree to, with the numbers for your specific business to back you up, you can show them that stopping operations or even letting people go will cost them more in the long run can make it harder after the crisis is over.

With real figures to back you up, you’ll be able to make a solid case in front of the board and ensure your IT budget can support the business and operations through these uncertain times.

Boardish started as and always will be an IT budgeting tool that helps gain immediate clarity. Rebuilding the budget is much easier when you can quantify everything and speak in financial figures instead of just labelling risk as low, mid or high.

White label BI

Start Rebuilding Today

We’re well aware that right now you can’t invest in anything that’s not considered absolutely crucial to keeping the business running.

Because of that, you can use all of the Boardish features for free for the next 2 months during the COVID-19 pandemic, in order to get the clarity you need.

It’s time to put these new risks into actual numbers and bridge that communications gap with the board.

Rebuild your IT budget

And explain essentials vs non-essentials to decision-makers

Which is a bigger risk? Ransomware or lack of IT & Cyber Human Resources (and how to quantify to BOD)

Which is a bigger risk? Ransomware or lack of IT & Cyber Human Resources (and how to quantify to BOD)

This article was written by our Founder and originally published on Linkedin here

too many projects not enough people image

During my consulting sessions on cyber security, I see a recurring theme. There’s usually a skilled team with great ideas and capabilities.

But not enough human resources to execute it.

A CTO or CIO will usually have most of their team already engaged in dozens of IT and Cyber projects. Even the most basic exercises like vulnerability assessments can get delayed just because there are not sufficient team members (or financial resources to use suppliers.)

You may think that if the company has the resources to appoint a CISO, that the CISO will then have sufficient resources, and enough people… think again 🙂

In many cases, the CISO’s team is already caught in several projects as well and entire security teams are not able to perform their required roles.

In this phase, I usually recommend “requesting decision-makers” for more resources, more people or more money so you can use an external company.

Also in this phase, I see how hard it is for the Manager to ask for more resources even if they understand that not asking for more resources will put the company at risk.

I use the BOARDISH methodology to show a clear financial impact of a “lack of resources”,

*See an example of quantifying this via the BOARDISH web app (boardish.io)

Background:

  • The Core issue of the test company is that they have an End of Life server in production, which both contains PII information and also several systems that use old SMB protocols.
  • The CTO, Cyber Team and Compliance all know the risk this server is imposing on the company.
  • It just a matter of time until the SMB protocol will cause Ransomware AND / OR Data Leakage of PII information.
  • Company information – I am using a test company with the following information:

Threats:

This is where we put “Insufficient IT & Cyber Resources” as the main Threat,

And we use info that we know from Ransomware and Data Leakage for this specific company as our “Turnover Days Loss” and “Work Day Loss”

Why ? – because “Insufficient IT & Cyber Resources” will not allow you to even “get to” addressing the actual Ransomware & Data Leakage issues – it will delay and delay them.

Solutions:

In Solutions, we will put 2 options, inputting the yearly cost.

  1. Recruiting a staff member
  2. Using an external company

Threat Protection Factor ( TPF ) :

In this scenario – our solution will “most likely” solve the entire threat, this is why we will input 90%

Experts Costs:

Recruiting in-house VS Outsourced will usually require more resources for ongoing management. So we must account for this time (and hourly costs of this time) in the yearly expert costs.

Regulation impact:

Regulation has a HUGE impact on our scenario, the lack of resources will most likely to a Data Leakage of PII.

And we have a CLEAR FINANCIAL IMPACT NUMBER to show our Decision Makers / Board:

  1. What is the COST of the”Insufficient IT & Cyber Resources” Threat
  2. What are the components of this Threat (Market Loss, Regulation, Salary Loss and Sales Loss)
  3. What is the COST of EACH OF THE OPTIONS of Resolving this Threat
  4. What is the leftover exposure in each environment to consider when looking at further mitigation.

The Boardish Methodology is combining a Risk Assessment exercise with Financial quantification, now your Decision Maker / Board needs to make a very clear decision:

Provide the resources for solving the Threat or accept the Cost of the risk.

Eli Migdal

Quantify your biggest risks

And explain to decision-makers which ones to focus on first…

Quantifying The Financial Impact of Mass Absence From Your Business

Quantifying The Financial Impact of Mass Absence From Your Business

This article was written by our founder Eli Migdal, posted on Linkedin here

woman working from home

In the Boardish community, we have noticed a big spike of companies who are adding the threat of “Immobility” (not being able to work remotely).

I want to help and to show you a basic guide on how to use the Boardish platform* to understand the costs of immobility, for example with situations like the Coronavirus where many people have to self-isolate but are still able to work. So you can get quick approvals on solutions to solve this from decision-makers.

*You can do this with the free version of Boardish also.

Step 1 – Company information:

Fill your company information, all threat impact and solution mitigation are calculated based on the size, type and financial posture of the organization.

INPUTTING company info in boardish

Step 2 – Threats:

Add a custom threat (Go to > Add Threat Type), you can call it “Immobility” or we’ve also seen variations of “Not being able to work remotely” and “no remote working option“.

Then we look at the critical operational information like how much the threat impacts the day-to-day. It’s different for each company, so we recommend involving your Operations, Sales, and Marketing teams.

In our example company below we have:

  1. Set the Chance of Losing Marketing position to Medium
  2. Included 25 Turnover Days Loss (days you are not selling because of a mass absence of staff and your company doesn’t have remote working capabilities in this case)
  3. 50% of Sales Loss in these days (because not all functions are impacted, some are automated etc.)
  4. 14 Workdays Loss is predicted for High, Medium and Low impact users. (for example, a self-quarantine period of two weeks.)
input threat info in boardish

Step 3 – Solutions:

We will add 3 possible solutions that help us with the threat of “not being able to work remotely

  1. Video conferencing tools – Note that many companies are now offering a free option as well (due to the Coronavirus outbreak). So for this example, I made the cost of video conferencing free.
  2. Advanced identity management tools – Tools that help you to protect remote identity, by adding “Device Identity”, MFA, Geographical restrictions and other abilities thathelp you to work remotely and securelyThis is also very important for BYOD capabilities which are a big part of working remotely. For this example, I made the cost $7 per user.
  3. Cloud security solutions – When working remotely, tools like Dropbox, OneDrive, Box, Google Drive etc. will be used more. So we will need tools to secure them in the business. Particularly to make sure we can differentiate between sensitive and non-sensitive types of files being worked and shared remotely. So in this example, I made the cost $6 per user.

For the purpose of this example, I’m staying vendor-neutral but I will be using the solution type field.

solution input on boardish

Step 4 – Threat Protection Factor (the efficiency of solutions against threats)

In this section, we are setting the effectiveness of the 3 solutions against the same threat. The TPF section is where you can use your experience and knowledge of solution efficiency to have manual control.

Based on my experience, I have used the following info:

  1. Immobility and Video Conferencing – 80% on Prem, 0% Cloud
  2. Immobility and Advanced Identity Management – 0% on Prem , 75% Cloud
  3. Immobility and Cloud Security – 0% on Prem , 70% Cloud
TPF in Boardish

Step 5 – Expert costs

This is section is very important when showing solutions to your decision-makers. Video conferencing solutions may be free to use but they will require resources from IT to train and support, these resource requirements and costs need to be quantified.

I have used the following info:

  1. Video Conferencing – Will require 100 hours yearly of 1st Level IT – mainly for support setups or connection issues.
  2. Advanced Identity Management – Will require 50 hours of your Cyber Staff to configure and 100 hours of your 2nd level IT to support
  3. Cloud Security will require the same as Advanced Identity Management ( for this example)

*Again you can use the figures for ongoing support if you know them for a solution you’ve used previously or are benchmarking.

Expert costs input in boardish

Step 6 – Regulation

In this step, we will set the GDPR impact for this threat. Immobility doesn’t have a direct GDPR impact unless there is a security issue that is not taken into consideration, and this is likely to be caused by something specific other than lack of mobility.

So, in this case I have configured GDPR regulation impact as none.

Dashboard:

Once completing the dashboard, you will get clear figures on the following:

  1. Cost of the Threat – $39.92M
  2. Cost of Solutions: $64K in total

This is “decision making” knowledge provided to your stakeholders. If your’s company information is as clear as in this example – you will get your budget request approved for solutions that combat an immobility threat. Particularly in cases of mass absence.

To quantify immobility in your organisation, you can run the same simulation using your information in Boardish.

Learn more here: https://boardish.io/

Sign up here: https://app.boardish.io/

 

Quantify quickly to decision-makers

Explain why/how your suggested solutions work, to a non-techy audience.