Why ‘Probability’​ is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

Why 'Probability' is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

cyber probability

Cyber Risk Quantification is becoming more familiar and I’m seeing more SME / Large companies and consultants using Quantification methods for clients. But a lot of them have something in common. They’re working on the Probability & Impact methodology, shown brilliantly in the picture below:

cyber risk probability cartoon

* Picture Credits – The Cyber Security Hub

This illustration is one the best ways to illustrate how probability and impact “go together” but also because it’s so clear. But it also blinds Cyber Professionals from seeing the huge landmine which is “Quantifying Probability”

I believe after working for years on Cyber Risk quantification into Financial figures (from consulting through to the development of Boardish) that for the Cyber Security Realm focusing on Probability is a mistake. Allow me to explain:

  1. Cyber Security Threats are evolving MUCH quicker than any “past knowledge” experience that you can determine the probability factor on. For example, with Ransomware, the attack vector for Ransowmare to ‘get into your organization’ is evolving on a DAILY (and sometimes hourly) basis. On day X your Probability is low because all of your machines are patched, but day Y a new security flaw on a core system means probability soars.
  2. Cyber attacks are constantly on the offensive, it’s not a “statistical game” like with car accident insurance. Instead, there is a clear ‘business model’ for your attackers to gain access to your systems and cause damage. They are ACTIVELY trying all the time. It’s not a question of “if I will be attacked” but “When” AND “are Zero-Day exploits scenario going to be used”
  3. You’ll always be wrong when speaking to management. When asked by your management “what is the probability” of Cyber Attack X to happen, most likely you will get the answer wrong. It’s a “catch 22” question – you can’t really get it correct because you have no control on the variables which are constantly changing.

How should I address Probability in Cyber Risk Quantification?:

  1. Always assume Worst Case Scenario When it comes to probability – that’s the only “not wrong” answer. Your responsibility as a cyber professional is to be able to: Identify, Protect, Detect, Respond and Recover (The Nist Framework) ANYTIME, ANYWHERE
  2. Focus on the Financial size of the threat impact – when the probability of the threat is ALWAYS HIGH.
  3. Focus on the Efficiency of the solution against the threat – when the probability of the threat is ALWAYS HIGH.
This way the responsibility is on your solutions to protect against overall threats, not asking a thousand ‘what ifs’ to find a solution that may not protect you worst case. What is the point?

So, what’s the alternative to working this out? In Boardish we approach from a solution perspective and have the TPF (Threat Protection Factor). You can see that we have threats and Solutions AND the efficiency of the threats against the solutions.

You can have multiple solution combinations against the threat and, most importantly, you control the efficiency. Based on your specific organizational understanding, experience with solutions, and specific environment.

We don’t “Play” the “Probability” game, its always “HIGH” because this is one “not wrong” (there is no right) answer. You can wake up to a Ransomware attack anytime, anywhere, don’t make the mistake of communicating to your management that you can predict the probability, you cant.

The one thing you can predict is how well solutions can protect against worst case. So use this as your benchmark and you’re a lot closer to being right!

How does the Boardish Framework solve this:

  1. Boardish focuses on the full quantification of the THREAT: Market Loss, Work Days Loss, Sales Loss, and Regulation Loss combined with “how quick the company will recover its market position”
  2. We measure the efficiency of the solution in mitigating the threat, AKA – How efficient is the solution against the threat, We do not automate this process, we believe that its different for each organization, and each IT & Cyber Professionals know/can make a decision based on their specific environment
  3. The Boardish Methodology helps you to quantify the Real and complete solution cost ( including IT & Cyber Labour cost )

sales approval process

The Boardish Methodology shows you very clear decision making metric without the “catch 22” of ‘Probability’

Plus, you can try our solution for free yourself without needing integration etc. at www.boardish.io

If you need help, let me know

Eli Migdal – Co-Founder – Boardish.

Don't play the 'probability game', quantify with Boardish

The 8 Steps I Use To Get (Nearly) All of My IT & Cyber Budgets Approved

The 8 Steps I Use To Get (Nearly) All of My IT & Cyber Budgets Approved

*This article was originally published by co-founder Eli Migdal on Linked here

As a Cyber Security consultant, who is also the founder of two IT companies (TowerWatch Tech and Migdal Computing) I usually “get called” when there is a big issue, usually around my area of expertise which Data Classification, Encryption, and DLP. (Disclosure: I’m also the co-founder of Boardish)

So I’ve proposed a lot of IT & Cyber budgets. And the truth is, I pretty much get them all approved.

I rarely fail, and on the rare occasions a budget doesn’t get passed, it’s a matter of the board taking ‘risk ownership’ which is a win in itself and not really a budget approval failure (in my eyes.)

This is not a clickbait article or a way for me to just show off, I want to share the complete steps that get me there every time. My own ‘methodology’.

Step 1 – Gather Initial Information – “Interview the company while they are interviewing you”

  1. What is the Reason / Business Logic / Catalyst for this Cyber Security Project? – Is it regulations? Is it general Intelectual Property protection? Was the company hacked? What is the “drive” to do “something” with Cyber Security?
  2. How does the company make its revenue? – What are they selling? What is its unique proposition? What is their core business? To quote Steve Zelwki from Levi Strauss & Co “We sell Jeans! – how are you going to help me to Jeans?” – Figure it out before you go any further
  3. Who is the owner of this initiative/project? – Is it IT? Is it Cyber? Is it GRC? Is it you?
  4. Does this project have a “Champion” who is Board Level / C-Suite? – To put it more clearly “is this is a Board Level project” that will be pushed from the top down?

Usually, 3 things happen at this phase:

  • Option 1: You get all the info – Great! – best option.
  • Option 2: You get some partial info and they start consulting with you regarding “what do you propose” Great – this is also a good option because it means they want to align themselves and to take it to the next level.
  • Option 3: They start pushing back on the “questions” themselves, this is a GREAT SIGN for you to say ” Thank you, it was a great call/meeting – but I suggest we end it now. Let’s stay in touch and when you are ready to align to this project methodology and the way I work.”

Step 2 – Gather Specific Company Details – “Hi, I am Eli – now let’s talk about you, I want to hear all the details… “

  1. What is the Turnover of the company?
  2. How many employees are there in total?
  3. How many employees are high/medium/low impacted by technology?
  4. What are the average salaries for high/medium/low impact users? (for this you usually don’t need to ask anyone in the company, as you can just google the industry standards use services like glassdoor to assess the averages)
  5. What is the speed of recovery of the company? How many years will it take the company to get back the previous market position following a technological catastrophe? This is a GREAT question to engage all C-Suite and departments with … “how quickly can your company to jump back after the mother of all data breaches”

This data-gathering phase can go more in-depth and I shared my 5-step framework for CISOs starting in a new company here already:

Step 3 – Take The Company’s Risk Assessment Report and Translate it to Financial Figures – The board don’t make decisions with traffic light charts, they make decisions based on money.

  1. NIST, ISF, ISO – No matter what framework you use for risk assessment, you need to translate to “Business Language” aka money money money.
  2. Quantify each threat via the Boardish Methodology: how many workdays Loss, how many Turnover Days Loss, what is the Market Position risk, etc.

Step 4 – Make Sure The Proposed Solutions Include Full Costs (no surprises later)

A common way to create tension between IT/cyber and the board is when they get surprised with solution costs because labour wasn’t included when the proposal was made and approved.

So, I make sure when I create proposed solutions and budgets I’ve included labour. to avoid the scenario where it’s more labour intensive to implement and support a solution than the initial licensing cost?

If you need more help to do this, you can see my article below (Using Boardish – or you can make a spreadsheet and work it out yourself.)

Step 5 – Evaluate What is The Efficiency level of the Current & Proposed Solution Against the Threat – “Are they any good?”

How well do the solutions mitigate the risk that you’re being hired to solve? In MANY cases several solutions attack the same threat, and the same threat from different vectors. Make sure you have the full picture.

Involve the IT & Cyber teams who will have real-life stats, info from the solutions that they’ve used before, and POC on any new products.

I use the TPF approach in the Boardish methodology, and before Boardish I did it manually myself to assess how effective the solutions are against the threats.

Here is an example of a TPF in the Boardish App (Note: it has full manual control so you can set and reset based on new information and knowledge.)

Step 6 – Regulations! – Don’t forget your BEST FRIEND.


Regulations are the Best Friend of the CISO and the Cyber Consultant, they “Get you the attention you need from the Board, no ignoring a 4% of the turnover fine”

  1. Almost EVERY company I encountered has GDPR implications. GDPR is a “Board Level Responsibility” so it’s a great “conversation starter with the Board”
  2. If you or your suppliers are somehow connected with Medical information, HIPPA is your best friend, USE IT!

Ok … we have the data gathering section complete, we are good “internally” but are we ready to “attack the board room”?

Not yet … now, you need to get all your team onboard.


Make sure your staff, your team, your partners and your managers are fully aware of the “REASON” for this project, before you go into budgets, make sure the REASON is clear to “why we are doing this”.

This helps to reduce resistance to change which can slow or derail your project, and gets everyone excited about the changes because they see how it helps them.

This ties into an article I wrote on my experience of managing up and down the chain of command:

Step 8 – Forget all your “Techy Risks Terms” – Turn the data into business language.

It’s not just quantifying the risk into financials, it’s also terminology and how you frame your budget and proposal.

When approaching the board, focus on:

  1. what is the COST of the Threat?
  2. What is the COST breakdown? (Sales Loss, Salary Loss, Market Loss, Regulation Loss)
  3. What is the complete solution cost overall?
  4. How much financial exposure do they have left after implementing the solutions?

Be ready to run the simulation with different solutions, different efficiency levels, different threat metrics, different costs. Give the info they need LIVE!

This is a Boardish Dashboard that I use to show Boards when pitching budgets.


Usually in my experience, if your solutions are mitigating MOST of the risk and the cost of the entire solution is less than 2% of the turnover – YOU WILL GET YOU BUDGET approved.

Here is a 5-minute demo of how I use the Boardish App and Methodology to implement exactly what I talked about above:

Going back to my headline – I very rarely fail with this approach.

In almost all cases, I see that when you communicate your needs in a business language you will get your Budgets.

Do you think I am exaggerating? that I am a bald stuttering overconfident Methodology creator … well, maybe I am but that’s aside … My method works! Try it yourself and see.

Boardish: http://boardish.io/

Sign up here: https://app.boardish.io/

Eli Migdal – Co – Founder – Boardish

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

How To Quantify & Assess The Financial Impact of Business Closures on Your Bottom Line

How To Quantify & Assess The Financial Impact of Business Closures on Your Bottom Line

The unfortunate reality for businesses of all sizes right now are spontaneous business closures (or deciding whether now is the time to reopen your business!)

And with COVID-19 outbreaks at your physical locations meaning potential mandatory lockdowns, as well as deciding whether to re-open at all it’s important to know the figures and what it could cost you.

We wanted to share how you can use Boardish to quantify into hard numbers what this means for your business.

  • Is it more cost-effective to keep your physical locations closed rather than adopt new procedures?
  • What is the real ‘solution’ cost of implementations? (including the cost of your expert’s hours and time)
  • What is the sales loss for your business closure?
  • What is the regulation impact for remaining closed? (and does this pose a higher risk to you?)

With Boardish you can compare the cost of a closure to your business and the full solution cost to your turnover so that you can decide which areas of the business are still viable. PLUS make a quick decision with all the numbers once you’ve run your simulations.

Once you’ve input your company information you can run several simulations on different scenarios so you can see the full picture quickly, and then use this information to get a fast decision from the board or decision-makers.

Boardish which will give you a snapshot of the information you need on the company right now, and you have complete manual control over the effeciency of your solutions so you don’t have to consider AI learning time, or integration into your systems!

The Boardish Web App is ready to go right now, and you can do all this in the FREE Boardish Basic Tier! 

Take a look at our video above where it runs through the exact process. So you can quantify exactly what you need right now! 

Quantify business closures

And which solutions are cost effective (and which aren’t) 

Why You Need a Human Involved In Risk Decision-Making

Why You Need a Human Involved In Risk Decision-Making

risk decision making

Until there is a whole new level of real AI technology and not pattern-based recognition automation as we know it now, risk decision-making should still always have human involvement.

I got inspired for this article following the David Spark CISO Series Friday evening event on “Hacking Automation”.

During the event, David asked a question, ‘Which element you would never automate’ and both panelists and many others in the chat room said Risk and I wanted to share more on my thoughts on where you can’t automate with AI.

Information on Risk Gathering like penetration testing tools, even risk identification can be automated (or a combination of automation and human) but when it comes to the decision-making on risk, that should always be a human.

A risk assessment can give you scores to consider, but there is no such thing as ‘generic risk’ in cybersecurity, there’s no one-size-fits-all. Every threat has a different impact level for each organization type, industry, and even specific activities in an organization.

I see it with Boardish as well as in consulting. Risk depends on variables in an organization like structure, revenue engines, and even functions like marketing (when you consider market position losses in the calculation) and it’s all interconnected. Cyber threats are a 3D picture (some say 4D) which need different perspectives that automation and AI just cannot give right now.

Which is why a human should have the say on the priority of IT and Cyber risks and make the final decision on what is a higher risk to the organization.

When my partner and I were building the Boardish Methodology, we made a big decision on the ‘decision-making’ and level of control a human has over threat decision-making. Which is why one of our main elements in the methodology is TPF (Threat Protection Factor). This is the efficiency of the solution against the threat.

We knew we could go via the automation route, we can integrate with other tools, take the data, and provide an automated response for “how efficient is the solution against the threat”. E.G – Endpoint Protection is 68% efficient against Malware.

But then we understood that only a skilled professional, that knows:

  • The company inside out
  • Knows how the threats impact His / Her company
  • Knows after real-life testing the real-life efficiency levels of certain solutions

And only with that information can they make an accurate decision on how efficient a solution is for THEM. How much will certain solutions mitigate that company’s threats.

This is also why we separated “On-Prem” and “On-Cloud” and gave them separate TPF input values. We have seen too many scenarios in which a solution can be VERY efficient on-prem but have almost no impact On-Cloud and vice versa.

That’s why when it comes to risk decision-making, we need to give the Cyber Professional FULL CONTROL on the Decision. Of course, we can suggest based on our professional knowledge but it must be a suggestion only so the final word will always be the person who is in charge, who is responsible for the company.

Here is a screenshot of our TPF section in the Boardish wizard, you can see that YOU can decide the efficiency on-prem and on-cloud for each solution against a threat or multiple threats:

Boardish TPF

To try the TPF for yourself, sign up to Boardish completely FREE here: https://app.boardish.io/

Learn more about Boardish here: https://boardish.io/

Eli Midgal, Co-Founder of Boardish

Control Solution Mitigation and Effeciency

To keep the human element in risk decision-making

How to Show IT Budget as a Percentage of Revenue To Communicate To Decision-Makers ​

How to Show IT Budget as a Percentage of Revenue To Communicate To Decision-Makers

IT budget presentation image

Showing IT budget as a percentage of revenue helps show IT and cyber threats and solutions in a business context, and more importantly, in a setting and language of the board level. This makes it easier to understand the value of IT operations and how they benefit or affect the bottom line. 

When the board understands the role of IT operations in the overall revenue stream, it is more likely you will get your IT budget approved. But how can you go about showing the budget like this? 

First you need the right data

IT budget approvals require some cold hard figures for things that are not easily quantified, such as various risks. While the IT department can deal with low, medium, and high risks, these don’t make much sense to the board. 

You will need several sets of data points before you can get financial figures. 

  1. You need to know your risks – these can be determined via a risk assessment
  2. You need to know the solutions – for each risk, you must know which solution you’d like to implement so you can propose it and have it approved 
  3. You need to know the business revenue – knowing revenue figures is necessary so you can create a comparison (before solution is implemented vs. after implementation) 

You also need the right toolkit

With all the risks determined and solutions chosen, you can now use Boardish to help you quantify the threats and risks. With Boardish, you can also put numbers on the cost of the solution and present it as an average IT budget percentage of revenue. 

This way, the board can see that the IT spending is a much smaller chunk than paying the aftermath of a threat that wasn’t covered well. 

It’s a very straightforward process that doesn’t require any type of implementation into your systems or access to your data centres. It works independently – all you do is input the data it needs to give you the figures you’re after. You will need: 

#1 A few details on your company

You’ll need to input things like the name of your company, number of employees, country, currency, and annual turnover rates. 

As for employees, you will give detailed figures based on how much they rely on technology. Finally, you’ll need to give some salary information, including average salary for different categories. 

#2 Input of threats

Add all the threats that you wish to showcase. During IT budget approvals, presenting the impact of threats is what matters most. 

In this step, you will input how high the risk is, how many turnover days and sales you expect, and how it affects employees. 

#3 Solution input

Next, you’ll add the cost of the solution (either as a one-time payment and/or cost per year). You’ll be able to quantify full solution costs including experts at every stage later in the process.  

#4 The threat protection factor 

How successful your solutions are in handling the threats and one of the unique elements to Boardish. Usually, you can get the factor from your initial risk assessment, or your own experience. It’s completely manual in Boardish because somethings, like risk, shouldn’t be left to AI.  You can quantify effectiveness in both the cloud and on-prem. 

#5 Expert cost 

Here you can put in all the costs associated with implementing solutions and dealing with threats. You can put in hourly rates and the number of hours you expect your IT team will need for it. 

#6 Regulation impact for each threat

Finally, you can add the risk of additional fines for breaching important security regulations such as GDPR. 

Boardish will use all of the above data points and turn them into a financial figure that you can present as a percentage of revenue to help get IT budget approvals

Try Boardish for yourself for free up to 3 threats and solutions here: https://app.boardish.io/

Learn more about Boardish: https://www.boardish.io/

Quantify Your IT & Cyber Budget Into Financial Impact Figures

So you can show it as a percentage of revenue. 

‘Leading Up & Down The Chain of Command’ As A CISO​

'Leading Up & Down The Chain of Command' As A CISO​

I was listening to the audiobook “Extreme Ownership by Jocko Willink and Leif Babin”, sharing their experience as navy seals commanders and how to transform this experience to the realm of business.

I did not know what to expect from the book, Yes I know that many Cyber Professionals (including yours truly) love to consider themselves as “warriors of cyber”, fighting against the ‘bad guys’ and so many more battle metaphors.

But still, I had no clue to the level or the extent that a specific part of the book resonated with me, with my experience in the cyber managerial realm. One chapter specifically (Leading up and down the chain of command) really stood out and resonated with my experience as a cyber manager.

I was shocked at the level of similarity, and more importantly, the level of clarity and pragmatic approach this book can give cyber professionals to deal with our daily ‘missions.’

CISO’s and other managerial cyber professionals are currently in a challenging position in which they need to ‘lead’ both up and down the chain. They need to manage their teams and they need to also ‘manage’ their management and decision-makers.

So, I wanted to share a real-life experience that I have encountered whilst working as a Cyber Security Consultant to share what ‘managing up and down the chain of command’ means for me.


I was brought by the Chairman of The Board to an organization that had a strong and capable IT department, but no proper security team at the time. I was acting as a temporary CISO and project owner in a post-data breach situation to build a complete security methodology and team that would work together with the CTO and the IT team.

After several Board Level meetings, it was decided the entire overhaul project would be framed around GDPR compliance. The organization would have GDPR best practices including data encryption, DLP, SOC team, a new DPO role (and much more) as the company was post-breach. I was acting under the ‘command’ of the chairman, the board approved the entire plan and we officially started the project.

Challenges – Phase 1:

Following several planning sessions with the CTO and the IT team leader we understood that the company had a HUGE amount of legacy software and hardware (something I see in many companies – old computers running outdated operating systems, or an ERP system with compatibility issues.)

Newer computers running newer operation systems were a mandatory requirement to run the newest security tools, so the IT department had a huge challenge of upgrading the entire company and get the infrastructure ready for the security tools.

The CTO and the IT Team leader understood the scope of it and said they could do it.

Challenges – Managing down the chain of command:

The replacement of Legacy IT software and hardware started and the entire IT team was working nonstop, and of course, problems started to occur:

  • The upgrade project was taking more time than initially anticipated mostly because several “top-ranking” departments were adding more challenges to the process. E.g ‘not allowing an upgrade to a specific department because they are working on the budget of that quarter and no one can interfere’, or ‘delaying an upgrade of specific software because they did not have time or will to train the new mid-level managers on the newer version’ etc.
  • The IT team were avoided because staff didn’t want their computer and software changed (because who likes change….?)
In a meeting, I had with the team I remember hearing sentences like:
  • The new project is taking so many resources we barely have resources to keep the day-to-day running and this is making our users angry about our service.
  • Before this project we had it stable, we had it calm, people liked us.
  • Before this project, we had no issues with Head of Departments and now we need to “fight” in order to get this project moving.

The IT team started to “hate the project”

I remember stopping and asking the IT team very directly, ‘what is the purpose of this project?’

They hesitated a bit and then replied ‘to get the company GDPR compliant, that annoying regulation/compliance thing.’

And I remember that I thought to myself, this is MY ERROR, I did not communicate the big picture well enough. They were so focused on the micro tasks they were not seeing the big picture, I did not communicate it as I should have.

I sat down with the team and explained to them very clearly that we all knew that the company suffered a data breach. They were lucky and the exposure was minimal but it could have been much worse, so bad it could have ‘killed the company.’ The Chairman of the Board got me in to make sure it will not happen again, this is my clear mandate.

The purpose of the project was to protect the company, to protect all the different departments, to protect the people, to protect their families whose livelihoods depend on the company. It was a real “fight for home”. The true purpose of the project was to protect the company so it will continue to be a home for many years to come.

I also explained that without the IT department being “all in”, we couldn’t get to the next phase of installing the security software, and without it, we will not be achieving a secure company.

As leaders, it’s our job and our responsibility to make sure that every person we are in charge of knows exactly what he/she is doing, and most importantly WHY. It isn’t just to “tick some regulation box”, it’s to secure the company that is a home and livelihood to most of the employees.

It’s all about communication, explaining why we do the things we do.

I also understood that my next task was to ‘manage upwards’ because the same issue was happening with the C-Suite and the heads of departments.

Challenges – Managing up the chain of command:

In the next Board meeting, I came down “hard” on several of the Department heads about them “not allowing” the work of IT.

Their feedback was very similar to the feedback of the IT team and was focused on their specific projects, their budgets, their tight schedules or goals etc. And most of them did not understand how their behavior was actually impacting the project itself. (They honestly didn’t make a connection with how can my “department slow down this entire project? it doesn’t make sense.”)

They knew the big picture, they knew the purpose of the project but they did not fully understand the steps that were required to “get us there” and again I understood it’s my responsibility to communicate clearly WHAT we are doing, and WHY.

So, I sat down the CFO, IT team leader, IT department and showed all the different steps in the checklist of installing ONE new computer. Getting it with all the required software etc. and all of this while keeping the user working on a temporary terminal.

I will never forget what the CFO said…”Wow – you do this WITH EVERY SINGLE USER” and the Team leader said “of course – we need to make sure all works 100% before we hand it over”

I used this opportunity to remind the CFO that all of this, all of this “hassle” is to keep the company secure. The same goal, exactly the same goal I explained to the IT team, the same goal that the Chairman of the Board told us to execute.

and following that, I requested (demanded) several things:

  1. No department will slow down the project no matter what.
  2. If there is a critical need for a “unique” scenario, the CFO will provide an additional budget for additional IT resources so upgraded can be done during nights or weekends.

The Bottom line – no one is too “special” to bypass our timeline. If more time is required – we “Buy it”!

The CFO agreed and during the project, additional budget resources were supplied and an external company was used to help with the new software installation, mostly during weekends, making sure there was zero impact on employees.

The ROI for the CFO was clear, all he needed is the understanding of “what is happening and why”.

In my role as the temporary CISO / Project owner, I needed to constantly make sure that I was ensuring clear communication and expectations between the team I was managing and between my “management”.

All must be aligned to the same goal and it was my responsibility to keep them aligned.

My experience has shown me that if you communicate clearly, make it goal originated, remove ego and be pragmatic, you will get both teams on your side.

The project was a big success and the company itself is a showcase for technological methodologies like “full encryption for non-structured information” and a global SOC team that mitigates most incidents before they have any serious impacts.

Plus, IT and the new Cyber team are working together better than ever. Both being able to get budget requirements from the board by communicating clearly their needs, the main goal, the steps to getting there and most importantly “what is the exact expectations of IT and Cyber from the Board”

Bringing it all together

Ultimately, when a CISO takes responsibility for a project, task, risk, or anything. There needs to be a very clear definition of WHAT THEY ARE RESPONSIBLE FOR and WHAT IS THE END GOAL?

And this needs to happen at board/decision-maker level before approval. Because ultimately, a CISO needs to be able to manage up, down (and sideways) to take ownership of challenges and correct issues as they arise. This can’t be done without very clear and explicit understanding.

In this instance I was able (and was given the authority) to ‘sit down’ members of high management, ‘demand’ from the C-suite because there was clear quantification before I took the project on. I knew exactly what the end goal was and it was my responsibility to communicate effectively to make it happen. But, without this clear ownership, it would have allowed delays, and potentially the abandonment of the project when some resistance was met.

You’ll always get resistance (people hate change even for their own good), but with the right ownership, you can be empowered to forge ahead and lead up and down the chain of command!

Eli Migdal – Co – Founder – Boardish

Help Communicate Up The Command

Explain solutions, exposure, and risk you’re responsible for! 

Imposter Syndrome in Cyber Security – How We Can Turn This Into Our Secret Weapon To Become Technological Leaders

Imposter Syndrome in Cyber Security - How We Can Turn This Into Our Secret Weapon To Become Technological Leaders

*This article was also posted on Linked. 

I created a survey on Linkedin surrounding Imposter Syndrome in Cyber Security, and it looks like a lot of us “suffer” from it, particularly when it comes to the cyber management level. (link to the survey here)

I see this entire “Syndrome” as a very interesting and even CRITICAL part of becoming a cybersecurity professional at the executive level. I believe there is a curve of Confidence in Cyber Security, I aptly call it the “Eli Migdal’s Confidence Curve of Cyber Security Tech Vs Managerial Skills Vs Confidence” (I know – very original name). which if you were to chart it out, would look something like this:

imposter syndrome chart for executives

This chart in my experience works both for the Sys Admin route to CTO / CIO and the more cyber focused route to CISO.

But, it’s all about the timing – when does imposter syndrome start? And how can you catch it to use it to your advantage?

If I break down the chart to explain more about what this looks like in practice, you’d see something like:


  1. (Years 2-6) – You are focusing on honing your “Techy Knowledge” and going hands-on as you grow your confidence alongside your tech skills.
  2. (Years 7 – 9) – Your “Techy Knowledge and Skill” peaks and starts to plateau (in tech you will never know everything as it changes so quickly!) During this time your confidence level continues to grow, and your managerial skills grow more as you start to manage more people and teams directly.
  3. (Years 10 -12) – This is where it usually gets “tricky” because your focus turns more to managerial skills and tasks. Your “Techy knowledge” starts to decline because it’s almost impossible to stay completely hands-on in tech and management simultaneously as your team size and responsibilities increase. This is where the first real signs of “imposter syndrome” start to show and your confidence starts declining.
  4. (Years 13-15) – Your Managerial skill increases initially but starts to balance out and does not increase more as your confidence level is declining and you’re not maintaining “Tech Knowledge” levels. This is where you must “fix it” and get the charts rising again.

What is “Imposter Syndrome” in IT & Cyber – How does it feel ?:

It is usually all about your confidence level and self-doubt, usually, the following types of questions start popping into your head:

  • Am I really an expert? Am I really a Cyber Expert or an IT expert?
  • Can I really be responsible for something as big as securing an entire organization?
  • Can I really be responsible for the entire infrastructure and IT system of this organization?
  • Do others see me as an expert? Do they see me as a fraud?
  • If I don’t know something does this mean I don’t deserve to be here?
  • Does the bald look work for me or do I actually miss my hair? (ok maybe that’s just me)

Most likely some or even all of these questions have been through your mind at one point or another…

When it comes to technology, increasing your skillset tends to take time and the change is granular. But, when you’re shifting from techy to managerial or managerial to executive, there’s often a lot of sudden changes. This is usually a ‘sink or swim’ moment for many IT and Cyber professionals looking to become technological leaders. And a big cause of ‘imposter syndrome’ in my experience.

But to be honest, the real question is. If you suffer from imposter syndrome, is it really a ‘bad’ thing?

I think that in the IT & Cyber Realm we NEED to suffer from imposter syndrome, we need to embrace it. Otherwise, we will just be overwhelmed by the speed of how everything is changing.

The truth is, in cyber, everything changes so rapidly that no-one is ever going to know everything no matter how hard you try. Once you embrace the ‘imposter syndrome’ which is often a result of this, you can actually make it your friend and your secret weapon.

(credits to Nir Rothenberg for ‘secret weapon’)

Here are 6 bullet points on how to embrace imposter syndrome and make it work FOR YOU:

  • Understand that you can’t have ‘hands-on’ up-to-date knowledge on everything. In fact, the more you know, the less you actually know.
  • It’s very healthy in IT & Cyber to say “I don’t know – lets research and find out”. Being able to say this is a proper catalyst to constantly learning more and engaging with your peers, researching, and learning TOGETHER.
  • Now, this is a big one. Your ‘worth’ as an executive is not always ‘what you know’. It’s your capability to learn, adapt, and respond to changing landscapes quickly. Experience is the ability to deal with new scenarios and not the amount of knowledge you have (this is a completely different metric of success compared to technological job roles and many people don’t realise this change).

Remember – You are not being benchmarked for your knowledge, in Cyber and most of IT you are being benchmarked on your Skills to deal with challenges.

  • If you want to make it in the Boardroom, try to be a specialist in being a generalist. (Credits to David Varnai on this quote) You can not be a complete expert in “something” when that “something” is ever-changing.
  • There’s a reason that Academia doesn’t really work in Cyber Security at an executive level. Because learning “past methodologies” doesn’t give you the experience to work in the environment at board level or managing a team. It’s the real-life experience that will make you feel more confident. Rather than trying to put theories into practice.
  • Don’t doubt yourself but always challenge yourself. Ask “Did I really do everything I can on this subject? Did I engage with all my colleagues to find the best solution?

So if you ask me: “Eli – are you an expert?”

Usually, my reply is “Yes, I was an expert yesterday … today most likely I am not – let me learn something new and I’ll get back to you”

“Eli – Do you have Imposter Syndrome?”

My answer would be “I had it yesterday but today I learned something new and I am ALLLL GOOOD”

Ok, I have embraced the Imposter Syndrome, what actual steps can I do to increase my confidence in the Technological managerial realm.

  1. Use the Imposter Syndrome – Rather than allowing it to doubt yourself and knock your confidence. Use it as a benchmark to accept something you don’t know and then drive your learning. Remember you can’t know it all, no one can, but imposter syndrome will empower you to do your maximum to learn something new every day. And this, in turn, will make you a much better leader.
  2. Learn to speak in Business! learn about P/L, Assets, Liabilities, Revenue, Expenses, Equity, Net Profit, Net Loss, Profit Margin, Cash Flow, ROI, B2B, B2C, and no, you don’t need to do a PhD in economics. You are in Cyber and IT, find the resources, teach yourself as you did for any other subject in your professional realm.
  3. Engage with your Managerial colleagues, its time to put the “Linux Console” aside for a while and work on your “soft skills”, your “soft skills” are critical in the Technological managerial world. Here’s an article on Soft Skills from Boardish: https://www.boardish.io/are-soft-skills-becoming-more-important-than-tech-for-it-cyber-pros/
  4. After sections 1 & 2 are accomplished move to the next part – Talking in Business Risk. I have learnt that most decisions by C-Suite and Board members are done based on Risk Analysis and in most cases its financial risk. I wrote an article on the subject:


I created the Boardish Methodology initially to help me swim in this deep water. To be able to get decisions from the C-Suite and Board and increase my Managerial communication skills. In doing this, it increased my confidence.

In our early years, our confidence grows as our technological abilities grow, the more “issues you fixed” the more confident you become. In the IT & Cyber Managerial realm, your confidence will grow with the number of executive decisions you are able to push through.

Connect your confidence level and benchmarking with decision making and you will see how sometimes your “imposter syndrome” grows but it just makes you feel better, stronger, and more capable!

Eli Migdal – Co-Founder of Boardish

Build your confidence and talk in business risk with Boardish...

How to Quantify Cyber Threats as a CISO in 2020

How to Quantify Cyber Threats as a CISO in 2020

The recently released Internet Organised Crime Threat Assessment (IOCTA) for 2019 by Europol shows that the threat landscape has matured, and key threats have grown in persistence and tenacity. 

The report confirms that destructive ransomware threat remains high. Phishing, spear-phishing, and vulnerable remote desktop protocols have been identified as the primary infection vectors. 

Such a threat landscape requires continuous efforts in the identification of main cyber threats to the organization and how much damage they can do. 

CISOs need to be prepared for 2020 and coordinate their security efforts with the board and their company goals. 

Communicating cyber threats in the board’s language—exact figures and business impact—requires a way to quantify these threats. 

To quantify these cyber threats, CISOs require greater access to the organization’s key financial data and other indicators.   

#1 Identifying the biggest threats and their financial impact on the company 

Identification of the largest cyber threats seems to be the biggest hurdle in presenting cyber risk and exposure, mainly due to the fragmentation of digital solutions in organizations.

According to Deloitte’s Future of Cyber Survey, 41% of CISOs state that Shadow IT presents the most challenging aspect of cybersecurity management in the organization, followed closely by  37% of CISO stating cyber transformation presents a large challenge.

Shadow IT makes it challenging to quantify cyber risk, as there is no overview of all systems. This makes it next to impossible to get a good snapshot of organizational cyber maturity or security posture. 

When the departments integrate digital solutions on their own, there is no alignment of IT with critical business goals. 

How does it relate to quantifying cyber threats? 

The board requires a good overview of the maximum potential threat so they can make the right risk assessments. Getting ShadowIT under control is the primary objective to be able to deliver such assessments. 

Simply saying the largest cyber risk (such as data leakage or breach) will cost the company millions, destroy it, or have far-reaching consequences is not enough anymore. 

How much would the cyber incident cost if left as is? 

How much would your solution cost? 

How much exposure would remain after implementing the solution? 

Would your solution be a sound decision, from a financial standpoint?

Speak in actual numbers that affect the company, not industry averages.


#2 Getting access to the company turnover figures

Back in the day, CTOs and sysadmins, as they were called in smaller companies, had nothing to do with turnover figures or any type of financial statements outside of the realm of IT. Times have changed, and nowadays, cybersecurity is an integral part of every company. 

With digital systems running in every department, the CISO requires a full overview of each of them to devise a data and information security strategy that will minimise risk and make the organisation more resilient to threats. 

How does it relate to quantifying cyber threats? 

Nowadays, CISOs must have access to company turnover figures in order to be able to quantify risk in terms that the board will understand. If the board wants to talk about cyber threat risk figures, you must show them how cyber threats will affect the organisation’s turnover. 

The profit/loss reports would give better insight, but these are impossible to get if you’re not in a directorial position. Instead, focus on getting company turnover numbers to build your case.


#3 Presenting the impact of technology issues on employees 

To get a clearer picture of how a cybersecurity incident will affect employees, it’s best to separate users as high, medium, and low impact. 

Technology issues won’t affect all users in the company in the same manner. 

Some will experience only mild inconveniences but be able to continue working. 

Some won’t be affected at all.

Some, however, won’t be able to do a single thing until the issue is resolved. 

How does this relate to quantifying cyber threats? 

Quantifying the impact of cyber risk depends heavily on how your operations will take a blow. When you have a clear picture of how dependent your users are on technology, you will be able to calculate the impact. 

If users can’t do their job at all—high impact users—it means their operations are standing still, which makes the risk and its cost greater. 

If users aren’t that affected, the cost will be lower too.


#4 Presenting the financial impact of “downtime” on the company’s salaries 

The amount of high, medium, and low impact users determines more than just the extent of the impact. It also shows how much downtime will cost in terms of salaries—how much it will cost the organization that these employees won’t be able to work. 

How does this relate to quantifying cyber threats? 

Even if employees can’t work because of the security incident that needs to be resolved, they will still get their salary for the day. How much will this add to the total cost of the security incident? 

You don’t need exact figures for every possible employee you hire, of course, but having an idea of salary averages will help you determine this cost. 

To get some idea on salary figures, ask the CFO or somebody in the financial department. You might even want to use external resources that can give you averages, such as Glassdoor.


#5 Determining the financial impact of “downtime” on the company’s sales 

Most of the time, cybersecurity incidents have the greatest impact on company sales, since the sales processes are heavily dependent on technology. Your e-commerce stores won’t bring you any sales if the servers are under attack or if payment processing is down. 

How does this relate to quantifying cyber threats? 

While sales aren’t your responsibility, the impact of cyber threats on sales falls within your role. CISOs have the responsibility to communicate the impact of cyber threats on sales and present the costs of worst-case scenarios. 

How many turnover days will the company lose in case of threat X? 

Within each turnover days, what percentage of sales will go down the drain? 

What is the chance of losing market positioning in case of threat X?

To provide relevant numbers, you must include the Sales team, and any other team related to sales to give you the required information on how market positioning and sales will be affected in worst-case scenarios.


What is the financial impact of IT regulations? 

Information and data are top targets of cyberattacks, and all companies are under strict regulations on how to protect it, no matter what industry you are in. 

Take GDPR as an example—the data protection act lists extremely high fines for companies that do not take necessary measures when it comes to personally identifiable information (PII). 

How does this relate to quantifying cyber threats? 

CISOs must quantify the impact of all regulations pertaining to the company in case of worst-case scenarios. The GDPR, for example, has extremely high fines. Depending on which is greater, the company might face fines of 20 million euros or 4% of its annual revenue in case of a data breach and must be included into the potential financial impact of cyber threats. 

Most companies won’t stand a chance of recovery from such high fines.


What is the efficiency of my solutions against the biggest cyber threats? 

After presenting cyber threats that are most likely to affect the company, CISOs must also present the solution. To sell the solution, you must quantify them too—their immediate and annual costs, in comparison to the costs of the threat they are solving. 

In addition, there is also the efficiency factor of the solution—how much of the risk will it mitigate, and how much exposure would remain? 

The efficiency of the solution depends on the threat type and environment. Is it prem? Is it in the cloud? 

There are very few scenarios where a cyber solution will have 100% efficiency so decision-makers need to see the exposure left and weigh up the risk factor themselves. 

How does this relate to quantifying cyber threats? 

The reason why CISOs must quantify cyber threats is to put the costs in perspective when compared to the costs of efficient solutions. 

Solution efficiency and cost help them justify investments that will improve the company’s resilience and overall security posture. 

It is likely that CISOs will have more than one solution to mitigating the biggest threats, with each of them having different efficiency depending on the environment. 

Showing the summed up costs of solutions versus the cost of a security incident without solutions will help the board understand just how much a security incident can set the company back.



For 2020, CISOs must answer critical business questions clearly and speak in exact figures. They must quantify cyber threats and present solutions in terms of how they help maintain critical business strategy and operations. 

With Boardish – boardish.io – CISOs will have access to a tool that helps them quantify cyber threats quickly, without having to deploy anything on-premise or grant access to their systems. 

CISOs must work together with all departments and get all relevant information to present real threats in real numbers. 

Boardish can help them create a snapshot of their company and help them run scenarios of different threats and their financial and market impact. 

Let 2020 be the year of real numbers!

Quantify Cyber Threats & Solutions

And get your IT budget approved quicker!

How Much Should A CISO & Other Cyber Professionals Earn? (aka How to benchmark your Salary?)

How Much Should A CISO & Other Cyber Professionals Earn? (aka How to benchmark your Salary?)

CISO Salary roulette wheel

I got the inspiration for this article after listening to the David Spark podcast (Defense in Depth) which talked about Security Budgets, “We’ll find the Cyber Security budget when we’re breached”.

In this podcast, one of the participants “Yaron Levi” ( the CISO of Blue Cross ) brought up the “Value” element. That you need to understand the value of the company and then you can understand Cyber Budgets.

I fully agree.

But this got me thinking on the big issue of “Value assessment/knowing the value of … ” in Cyber Security. I meet (Well now its mostly Zoom 🙂 ) and hear many Cyber Professionals discussing the vastly different Salary ranges across the industry.

There doesn’t seem to be a clear definition for: “How much a CISO should earn” from either the business side or from Cyber Professionals.

This leads me to the core of the issue.

A lack of ability to assign value, which in my eyes is one of the biggest issues in cyber security.

It’s impacting cyber budgets, cyber salaries, and has everything to do with value rather than money.

Cybersecurity and IT have always been hard to quantify (it’s why I started Boardish in the first place) and this is because the ‘value’ is defined in different ways. As an example, technology value can be seen in:

  1. Facilitating business working/development/growth
  2. PREVENTING cost-impacting events e.g. ransomware, or data breach fines etc.

So what does this mean for CISOs and cyber professionals and getting paid?

The Traditional approach to salaries and consulting have flaws within the realm of Cyber Security:

When going to an interview or a meeting regarding the fees of consulting or the salary you will ask for, you will try to negotiate your pricing based on the following:

  1. Your experience level.
  2. How you perceive the company’s ability to pay.
  3. The market averages for this specific role and sector.
  4. And of course – Your “shrewd negotiator abilities”.

Usually, with those 4 metrics, you will determine your Bottom and Top ranges of salary/price.

This approach is fine, but for Cyber Security it just does not work well enough, for the following reasons:

  1. Your Experience Level – Cyber Security is constantly changing and evolving, your experience level is important but being a specialist in “something” does not mean this “something” will be relevant in 3 months, it’s your learning capabilities and ability to react which is in my eyes more important than your “classic experience”
  2. How you perceive the company’s ability to pay – Yes you can research a bit and know the turnover of the company and in general what the averages salaries are BUT – You don’t know how much value the company puts on Cyber Security, the company can be huge and very profitable but it does not value cybersecurity at all and so, will not hold value in your proposition regardless of what it is.
  3. The Market averages for this specific role and sector – You usually do not have visibility into how complex the system is, what is the Risk Exposure, or how much Financial Risk you will be responsible for. So 2 companies who look EXACTLY the same from the outside may be completely different in the “Risk Levels” that the CISO needs to take under his/her responsibility.
  4. Shrewd negotiator abilities – Always a good thing to have, but without them seeing the value of what you’re offering, it’s not going to be much of a negotiation! 🙂

So how should CISOs and Cyber Pros be approaching this instead?

The key in my experience is looking from the perspective of value to the company and ‘knowing the financial amount (and risk) that you’ll be responsible for.’

Depending on the amount of risk you’ll be responsible for, you can set your acceptable minimum and preferable maximum salary.

CISO’s (and other Cyber Security professionals) must be able to QUANTIFY what they are responsible for. There is a huge difference in the level of responsibilities and mitigation needed between $100M and $10M so the salaries shouldn’t be the same because the VALUE is not the same.

To put this into perspective. If you are interviewed for a position that means you’re responsible for mitigating $100M of Cyber risk to the company – would you consider $60K yearly enough?

How do you Quantify the value of ‘How Much a CISO is worth to the company’?

You need to know 3 main metrics:

  1. The company’s Turnover – this is usually something you can easily research yourself and get a ballpark.
  2. The Total Financial Figure of Cyber Security Risk that you will be responsible for mitigating. (This can also be done via the Boardish Methodology and Boardish Tool I’ll discuss in the next section)
  3. The current remaining exposure, AKA “Total Threat Loss (Minus) how much was mitigated already” = The actual Financial figure you will be responsible for.

How To Use Boardish To Get This Figure

You can use exactly the Boardish Methodology and tool to get this information because it’s similar to budgeting. After completing the wizard you will get on your Dashboard EXACTLY what we discussed!

How the Boardish Methodology works:

After filling the information, your Dashboard will show you a clear connection between the Turnover of the company, the biggest Threat in financial figures, and what is the remaining exposure.

In the screenshot below the biggest threat has a total Threat Loss of 93M (which is twice the yearly turnover of the company which is 75M) with a remaining exposure of 46M.

So when looking at the ‘value’ of the position of CISO for this company, you will be responsible for a Financial Risk figure of 46M in a company with a 75M yearly turnover.

Now that you have the figures – you unleash your “shrewd negotiator abilities”.

Ultimately, when it comes to your value, don’t let the market ‘assume for you’, in fact, don’t assume at all. Quantify!

You can use Boardish Basic to quantify completely free!

Sign Up here: https://app.boardish.io/

Learn more here: https://www.boardish.io/

Eli Migdal – Co-Founder of Boardish.

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

Boardish Glossary: Risk Quantification Terminology

The Boardish Glossary: Risk Quantification Terminology

The risk quantification process is crucial in order to help the board make financial decisions a lot quicker. To help you better understand the process, we compiled a comprehensive list of risk quantification terminology. These terms are divided into three categories: Filter Terminology, Dashboard Terminology, and Boardish Terminology.

Filter Terminology

Regulation Loss – The financial impact to the organisation in the event of being hit by regulation fines as a result of a threat or combination of threats to the organisation.

Sales Loss – The amount of sales lost as a result of a threat or combination of threats to the organisation.

Market Loss – The financial impact of losing market positioning as a result of a threat or combination of threats to the organisation.

Salary Loss – The amount of financial impact to salaries as a result of a threat or combination of threats to the organisation.

Dashboard Terminology

Total Threat Loss – The total risk of financial damage to your company as a result of the threat.

Solution contribution on-prem – How much financial impact the solution has in mitigating the chosen threat on premises.

On-prem exposure – The outstanding financial risk from threats on premise

Solution contribution in-cloud – How much financial impact the solution has in mitigating the chosen threat in the cloud.

In-cloud exposure – The outstanding financial risk from threats in the cloud.

Boardish Terminology

High-Impact Users – Users who are very affected or cannot perform their daily job roles or functions in the event technology in the organisation becomes unavailable.

Medium-Impact Users – Users who are affected and have to adapt their daily job roles or functions in the event technology in the organisation becomes unavailable.

Low-Impact Users – Users who are barely, or not affected in their daily job roles or functions in the event technology in the organisation becomes unavailable.

Relative Rate of Sales – The percentage of sales lost per day during closure or if a risk comes to fruition.

Threat Protection Factor – The performance effectiveness of the solution against the threat.

Download the Boardish Glossary Here

Try Boardish Yourself

Get started understanding risk terminology in your business