So, how much is a day of not being able to sell (or work) worth to your company?
The headline is always my answer to this question:
“What is the most important metric in the Cyber Budgeting approval process (internal) or Cyber Sales approval process (external vendors)?“
When you are selling a Cyber Solution, internally as a CISO, CIO, CTO or externally as a Cyber vendor selling to the CISO’s, CIO’s, CTO’s you are not really selling technological solutions, you are selling Risk Reduction (mitigation.)
We need to be honest with ourselves, MOST cyber solutions are not “money makers”, they are “Risk Reduction tools” that protect the “money makers”
ok… but Risk Reduction for what exactly?
Well, this is the million (and sometimes billion-dollar) question, to know this you need to understand the business and understand the company you are in or selling to.
Then, quantify how much a “Single day of not being able to work/sell” is worth/costs to the business! It’s the best first step to any budget approval, or cyber sales approval.
I loved the quote from Steve Zalewski, Deputy CISO at Levi Strauss “How are the cyber attackers impacting my ability to sell jeans?”
And it’s exactly this.
Decisions are made financially in business terms (what makes money for the company) and as cyber professionals, we sometimes forget that not everyone is on the same page (or even cares about) the technology.
But everyone understands the importance of the business working and making sales.
Cyber needs to be able to bring their proposals to the table just like this in a very clear way. With the cost of threats (what is your business day worth?) versus how much your cyber solutions cost.
Then you present the vendors/solutions that give you the most value which is maximum protection (mitigation) for the minimal cost (ROI).
When you quantify the worth of a single day of sales and labour to the company, and then you present costs of solutions etc. You’re in a much better position to show the true benefit and ROI of cyber solutions for your budget.
So… how do you do this?
I will demonstrate with the Boardish Methodology (full link below)
Step 1 – Company information:
Full guide – https://www.boardish.io/company-information-guide/
- Turnover figures can be mostly found very quickly on the internet based on the financial reports of the company or even better – you have the perfect “excuse” to ask your CFO and explain you are doing a Cyber Risk Quantification process.
- Number of High / Medium / Low impacted employees – IT should have this info, they should know how many users/computers and how many users will not be able to do their work if the Computing system is down.
- Workdays per year – Information that is easily acquired from the IT or COO, the average nonproduction facility organizations work 252 days but companies that have production floors usually work from 300 up to 350 days a year
- Average Salaries of High / Medium / Low impact employees – Initially this seems like a hard question but you will be surprised how easy it is to find this information online with services like “glassdoor” and MANY other online benchmarking sites, remember you don’t need the exact figure, you need an average to make this assessment, the best thing is always going to your CFO and ask this figure directly as part of your Cyber Risk Quantification process.
Step 2 – Quantify the Threat impact:
Full guide – https://www.boardish.io/boardish-solutions-guide/
This information will usually come from your Risk vulnerability / Assessment process but in order to get you started, I suggest a very simple approach.
Assume that each threat will have an impact of 1 workdays Loss and 1 Turnover days Loss with 50% sales Loss, make it your initial benchmark
This way you do not need to dive deep into the Risk Assessment process which can be very lengthy. You take the best case impact as 1 day (which is the best possible case).
Then, continue with the remaining steps.
In Step 4 ( Threat Protection Factor )
Make all solutions 50% efficient in mitigating the risk.
Why only 50%?
Because it’s a very easy benchmark to start the Cyber Risk Quantification process. You’re allowing a huge buffer here with a best-case mitigation scenario.
The result? Your dashboard:
After completing the remaining steps in the Boardish Wizard you will be shown your Dashboard.
I suggest filtering out the “Market Loss” & “Regulation” initially and focusing purely on Sales Loss and Workdays Loss as your key metrics (unless you’re in a highly regulated industry.)
It will show you Instantly the threat cost of not being able to work and sell for 1 Day.
From this 1 day metric, you start a budget approval or sales approval conversation with decision-makers whether you’re a cyber professional or a vendor.
When you Quantify the cost of threats you immediately connect what you are doing with the value and “money-making” of the company. Showing that you’re not trying to “take money”, you are providing a solution so the company can continue to make MORE money.
You are not selling a specific “Technology”, you are selling the ability for your company to continue selling and even increase sales.
Sign up to Boardish and try it out here: https://www.boardish.io/
Or, if you want a personal demo, drop me a message and let me know! I’m happy to show the power of Boardish.
Eli Migdal – Co-founder of Boardish