I got the inspiration for this article after listening to the David Spark podcast (Defense in Depth) which talked about Security Budgets, “We’ll find the Cyber Security budget when we’re breached”.
In this podcast, one of the participants “Yaron Levi” ( the CISO of Blue Cross ) brought up the “Value” element. That you need to understand the value of the company and then you can understand Cyber Budgets.
I fully agree.
But this got me thinking on the big issue of “Value assessment/knowing the value of … ” in Cyber Security. I meet (Well now its mostly Zoom 🙂 ) and hear many Cyber Professionals discussing the vastly different Salary ranges across the industry.
There doesn’t seem to be a clear definition for: “How much a CISO should earn” from either the business side or from Cyber Professionals.
This leads me to the core of the issue.
A lack of ability to assign value, which in my eyes is one of the biggest issues in cyber security.
It’s impacting cyber budgets, cyber salaries, and has everything to do with value rather than money.
Cybersecurity and IT have always been hard to quantify (it’s why I started Boardish in the first place) and this is because the ‘value’ is defined in different ways. As an example, technology value can be seen in:
So what does this mean for CISOs and cyber professionals and getting paid?
When going to an interview or a meeting regarding the fees of consulting or the salary you will ask for, you will try to negotiate your pricing based on the following:
Usually, with those 4 metrics, you will determine your Bottom and Top ranges of salary/price.
The key in my experience is looking from the perspective of value to the company and ‘knowing the financial amount (and risk) that you’ll be responsible for.’
Depending on the amount of risk you’ll be responsible for, you can set your acceptable minimum and preferable maximum salary.
CISO’s (and other Cyber Security professionals) must be able to QUANTIFY what they are responsible for. There is a huge difference in the level of responsibilities and mitigation needed between $100M and $10M so the salaries shouldn’t be the same because the VALUE is not the same.
To put this into perspective. If you are interviewed for a position that means you’re responsible for mitigating $100M of Cyber risk to the company – would you consider $60K yearly enough?
You need to know 3 main metrics:
You can use exactly the Boardish Methodology and tool to get this information because it’s similar to budgeting. After completing the wizard you will get on your Dashboard EXACTLY what we discussed!
After filling the information, your Dashboard will show you a clear connection between the Turnover of the company, the biggest Threat in financial figures, and what is the remaining exposure.
In the screenshot below the biggest threat has a total Threat Loss of 93M (which is twice the yearly turnover of the company which is 75M) with a remaining exposure of 46M.
So when looking at the ‘value’ of the position of CISO for this company, you will be responsible for a Financial Risk figure of 46M in a company with a 75M yearly turnover.
Now that you have the figures – you unleash your “shrewd negotiator abilities”.
Ultimately, when it comes to your value, don’t let the market ‘assume for you’, in fact, don’t assume at all. Quantify!
You can use Boardish Basic to quantify completely free!
Sign Up here: https://app.boardish.io/
Learn more here: https://www.boardish.io/
Eli Migdal – Co-Founder of Boardish.
Explain why/how your solutions work, to a non-techy audience.