Boardish Glossary: Risk Quantification Terminology

The Boardish Glossary: Risk Quantification Terminology

The risk quantification process is crucial in order to help the board make financial decisions a lot quicker. To help you better understand the process, we compiled a comprehensive list of risk quantification terminology. These terms are divided into three categories: Filter Terminology, Dashboard Terminology, and Boardish Terminology.

Filter Terminology

Regulation Loss – The financial impact to the organisation in the event of being hit by regulation fines as a result of a threat or combination of threats to the organisation.

Sales Loss – The amount of sales lost as a result of a threat or combination of threats to the organisation.

Market Loss – The financial impact of losing market positioning as a result of a threat or combination of threats to the organisation.

Salary Loss – The amount of financial impact to salaries as a result of a threat or combination of threats to the organisation.

Dashboard Terminology

Total Threat Loss – The total risk of financial damage to your company as a result of the threat.

Solution contribution on-prem – How much financial impact the solution has in mitigating the chosen threat on premises.

On-prem exposure – The outstanding financial risk from threats on premise

Solution contribution in-cloud – How much financial impact the solution has in mitigating the chosen threat in the cloud.

In-cloud exposure – The outstanding financial risk from threats in the cloud.

Boardish Terminology

High-Impact Users – Users who are very affected or cannot perform their daily job roles or functions in the event technology in the organisation becomes unavailable.

Medium-Impact Users – Users who are affected and have to adapt their daily job roles or functions in the event technology in the organisation becomes unavailable.

Low-Impact Users – Users who are barely, or not affected in their daily job roles or functions in the event technology in the organisation becomes unavailable.

Relative Rate of Sales – The percentage of sales lost per day during closure or if a risk comes to fruition.

Threat Protection Factor – The performance effectiveness of the solution against the threat.

Download the Boardish Glossary Here

Try Boardish Yourself

Get started understanding risk terminology in your business

The 5-Step Framework For CISOs Starting in a New Company (If you want to stay longer than 6-12 months)

The 5-Step Framework For CISOs Starting in a New Company (If you want to stay longer than 6-12 months)

To start with, here’s some background about me and why I consider myself to be in a position to suggest these steps. And as a word of warning, I will do it the “CISO” way, no “background sales noise” but straight forward and to the point:

  1. I’ve been working in IT for over 15 years, 8 of them in Cyber.
  2. I’ve created successful companies and products for both IT and Cyber
  3. I’ve acted as a vCISO, Cyber Consultant, and auditor for over 50 organizations globally. From Micro to Enterprise (From 5 employees to Global Banks) business.
  4. I’m the co-founder and creator of Boardish which is a specific CISO “Risk To Financial figures” tool to help the connection between the CISO and Board.
  5. I listen a lot to David Spark and other amazing professionals in the industry who know their stuff. I don’t think the CISO world starts and ends with me! 🙂

Why does all this matter?

As a vCISO and a consultant I usually need to achieve results very quickly, even in some cases within a month. So I built a methodology to “speed things up” – it’s either you sink or swim in our profession, so these are my 5 recommended steps:

Step 1: Get / Request / Demand ! Clear expectations regarding “Why you are there”

Most of the CISO’s I met tell me that one of the hardest things they encounter is the “lack of clarity” about their role and the expectations from the business.

As a result, it makes authority unclear and it difficult to make any actionable changes. That’s one of the reasons (in my experience) why CISO roles have such a high staff turnover rate.

I suggest that the first step is having a meeting with the C-SUITE and asking them VERY clearly “What are you expecting from me + what are my goals from the perspective of the business”

I have encountered the following scenarios to “why we need a CISO”, I am sure you have encountered MANY others:

  1. Make the company more secure after a breach (usually the most common one for CISO’s)
  2. Protect the company against regulation and compliance fines
  3. We “Need” a CISO “in place” DUE to regulation and compliance – This is often the hardest for a CISO because it doesn’t mean “Anything” regarding goals. You then have to set your own criteria and clarify.
  4. To make a product/software (sometimes its the Product and not the company) more secure ( usually software companies ).

In each scenario, you need to make sure that your success criteria are crystal clear, for example :

  1. Reducing the risk of a Data breach by 50%
  2. Increase our overall security posture by 30%
  3. Reduce our recovery time from a cyber incident by 30%

YES – they are hard to quantify but this is part of our job and I will discuss it in the next steps.

In many cases, you will need to set your own performance criteria because your C-SUITE / Board won’t have any for your role, I always like to use the “For every year we kept the company safe without a major incident I get 10 “Victory Points” and for each major incident minus 30 “Breach points” gamification.

This approach shows decision-makers the “long game” and makes them appreciate every year without a breach, and YES – you need to reach that 3 years mark to be relatively “safe”.

Ultimately, if you don’t quantify – you leave yourself vulnerable as a scapegoat. “The CISO got fired after a single phishing incident” rather than, our CISO has kept our organization incident-free for over 8 years so they are too valuable to get rid of.

Step 2: Get to know all the other risk owners and gain visibility to what they do and how it impacts the business, AKA “Know thy business”

Usually, Step 1 or Step 2 is Risk Assessment, BUT – how can we assess something we do not understand yet?

We need to understand what function or several functions really drive the business, which functions are the main catalyst, is it R&D or Sales or is it Marketing?

You need the see the entire company FLOW, and you may be surprised but the flow will look a bit different depending on whom you ask.

It’s our Job to “attach” all the different pieces or perspectives into one and then link it with the “expectations” section of ” part 1″

This step will also allow you to avoid a common mistake which is not seeing/figuring out who “is really” the department that carries more decision power.

(CISO’s – We have all been there: a great plan, great solutions but … it doesn’t meet EXACTLY what department X wants and so the CEO dismisses it… don’t go there … )

If you are awoken at 2 AM at night and asked” which is the department that you need to “sell” first to get all the rest inline” – you need to be able to answer without thinking – that’s true visibility in the flow of the company.

Step 3: Build a Risk Assessment plan + Attach an OWNER TO EACH RISK

I won’t go deep in the micro of “how to do a risk assessment plan” but here are several important tips:

  1. Get as many people from different departments, power users, or ambassadors and involve them in the process! In most cases they can see risk in places which you still cant (because you are new to the organization).
  2. Use tools – there are some great CISO tools for Risk Assessments which use all the relevant frameworks like NIST, FAIR, and more. USE TECHNOLOGY to streamline the process, I am still a bit confused when I see CISO’s using “Excel”, we are “the Tech Gods!” – the ambassadors of “making tech more efficient for the process” – lead by example and save yourself time and errors.
  3. When assigning risk scores – make sure that most ( it’s not usually all ) of the people involved will agree, or at least won’t argue against your assessment. If you value something as low risk and most of the participants consider it to be high risk, you need to do the deeper due diligence. I usually use Risk Assessment on Risk Assessment, if the Risk is not certain – this is a risk by itself so I “increase it up a level”.
  4. Risk Ownership – Each risk NEEDS to have an owner. In some cases, it’s more obvious like with a DPO or CCO, in other cases you as the CISO will be the risk owner. But something to be aware of is that in my experience other departments will try to “reduce” / “Manipulate” the risk. e.g. “Protecting the website from SQL Injections is not really the Marketing / Sales departments’ issue even though 100% of sales are done via the site” You need to be very assertive in nominating Risk Owners if the people nominated don’t agree with your nomination – then Risk can be transferred.

(I’ll discuss this in the next steps. Hint: it’s either you have skin in the game or you don’t have a say regarding the Budget! )

Step 4: Build a mitigation plan and Quantify it to actual financial numbers! 

 

What is the point of a risk assessment plan if you don’t have a plan to mitigate those risk? In order to mitigate those risks you need MONEY and resources! (People / Tools / Both )

  1. Quantify the Threats! – Translate / Convert / Quantify the Threat from “Risk Scores” to the financial impact. In the above example: SQL Injection is a High probability and High Impact? – Great but what does it really say to the other department heads and C-SUITE? Not a lot. Instead, saying, for example, an SQL Injection has a Threat impact of $50.5 Million on your organization, suddenly they will listen.
  2. Quantify the Solution – How much it will cost? Both the one time purchases, maintenance, human resources required – everything … a proper “total cost”.
  3. Show in MONEY what is the remaining exposure if your proposed plan is implemented.
  4. Show decision-makers your Risk Assessment plan and your mitigation plan – combined, don’t waste their time on Risk Scores – come with decision-making information and plans

I created a tool to do EXACTLY this – www.boardish.io ( last promotion in the article I promise )

Step 5: Negotiate Risk Owner VS the budget for your Mitigation plan

Remember step 1? – you are usually put in the organization to make it more secure, and making it more secure costs money.

Some departments / C-Suites / Boards will push back and say “it’s too much, we are not responsible for this, it needs to come from IT and not from our department and so on”

Yes you need to be cost-efficient but you also need to be very strict with your professional assessment, for example:

  1. You need $250K to fix the biggest issue which is “Data Breach” for the specific company.
  2. Your Board / decision-makers say “No” (it’s too expensive or any other reason)
  3. You say “Ok ” – BUT – when you’ve said “No” you become the owner of that Risk and not me the CISO. So when a data breach will occur its crystal clear that I planned how to mitigate it (you brought me in to do exactly this ) and you said no. You can’t force them to say yes to your proposal, but you can be very clear on risk ownership and that ‘no’ means they own the risk now.

I already hear you saying “BUT – Eli you are not being realistic – they don’t listen to us … and many more excuses.”

Yes – Being a CISO is a VERY HARD JOB, you need to be both professional and to have highly evolved people skills to be able to cope with big changes. A CISO is a much more managerial role than “techy” in my view.

But remember that if you “cave” and accept a “No” and you own the risk – it’s just a matter of time that this risk will happen (Data Breach) and you will be at fault. It’s your risk and you did not fight hard enough to get your budget approved.

CISO’s are in new waters, Deep waters, waters with different tides, and the occasional tsunami, so it’s time to sink or swim. 

Eli Migdal

Follow the framework with Boardish

Quantify into financial impact figures…

Quantifying The Financial Impact of Mass Absence From Your Business

Quantifying The Financial Impact of Mass Absence From Your Business

This article was written by our founder Eli Migdal, posted on Linkedin here

woman working from home

In the Boardish community, we have noticed a big spike of companies who are adding the threat of “Immobility” (not being able to work remotely).

I want to help and to show you a basic guide on how to use the Boardish platform* to understand the costs of immobility, for example with situations like the Coronavirus where many people have to self-isolate but are still able to work. So you can get quick approvals on solutions to solve this from decision-makers.

*You can do this with the free version of Boardish also.

Step 1 – Company information:

Fill your company information, all threat impact and solution mitigation are calculated based on the size, type and financial posture of the organization.

INPUTTING company info in boardish

Step 2 – Threats:

Add a custom threat (Go to > Add Threat Type), you can call it “Immobility” or we’ve also seen variations of “Not being able to work remotely” and “no remote working option“.

Then we look at the critical operational information like how much the threat impacts the day-to-day. It’s different for each company, so we recommend involving your Operations, Sales, and Marketing teams.

In our example company below we have:

  1. Set the Chance of Losing Marketing position to Medium
  2. Included 25 Turnover Days Loss (days you are not selling because of a mass absence of staff and your company doesn’t have remote working capabilities in this case)
  3. 50% of Sales Loss in these days (because not all functions are impacted, some are automated etc.)
  4. 14 Workdays Loss is predicted for High, Medium and Low impact users. (for example, a self-quarantine period of two weeks.)
input threat info in boardish

Step 3 – Solutions:

We will add 3 possible solutions that help us with the threat of “not being able to work remotely

  1. Video conferencing tools – Note that many companies are now offering a free option as well (due to the Coronavirus outbreak). So for this example, I made the cost of video conferencing free.
  2. Advanced identity management tools – Tools that help you to protect remote identity, by adding “Device Identity”, MFA, Geographical restrictions and other abilities thathelp you to work remotely and securelyThis is also very important for BYOD capabilities which are a big part of working remotely. For this example, I made the cost $7 per user.
  3. Cloud security solutions – When working remotely, tools like Dropbox, OneDrive, Box, Google Drive etc. will be used more. So we will need tools to secure them in the business. Particularly to make sure we can differentiate between sensitive and non-sensitive types of files being worked and shared remotely. So in this example, I made the cost $6 per user.

For the purpose of this example, I’m staying vendor-neutral but I will be using the solution type field.

solution input on boardish

Step 4 – Threat Protection Factor (the efficiency of solutions against threats)

In this section, we are setting the effectiveness of the 3 solutions against the same threat. The TPF section is where you can use your experience and knowledge of solution efficiency to have manual control.

Based on my experience, I have used the following info:

  1. Immobility and Video Conferencing – 80% on Prem, 0% Cloud
  2. Immobility and Advanced Identity Management – 0% on Prem , 75% Cloud
  3. Immobility and Cloud Security – 0% on Prem , 70% Cloud
TPF in Boardish

Step 5 – Expert costs

This is section is very important when showing solutions to your decision-makers. Video conferencing solutions may be free to use but they will require resources from IT to train and support, these resource requirements and costs need to be quantified.

I have used the following info:

  1. Video Conferencing – Will require 100 hours yearly of 1st Level IT – mainly for support setups or connection issues.
  2. Advanced Identity Management – Will require 50 hours of your Cyber Staff to configure and 100 hours of your 2nd level IT to support
  3. Cloud Security will require the same as Advanced Identity Management ( for this example)

*Again you can use the figures for ongoing support if you know them for a solution you’ve used previously or are benchmarking.

Expert costs input in boardish

Step 6 – Regulation

In this step, we will set the GDPR impact for this threat. Immobility doesn’t have a direct GDPR impact unless there is a security issue that is not taken into consideration, and this is likely to be caused by something specific other than lack of mobility.

So, in this case I have configured GDPR regulation impact as none.

Dashboard:

Once completing the dashboard, you will get clear figures on the following:

  1. Cost of the Threat – $39.92M
  2. Cost of Solutions: $64K in total

This is “decision making” knowledge provided to your stakeholders. If your’s company information is as clear as in this example – you will get your budget request approved for solutions that combat an immobility threat. Particularly in cases of mass absence.

To quantify immobility in your organisation, you can run the same simulation using your information in Boardish.

Learn more here: https://boardish.io/

Sign up here: https://app.boardish.io/

 

Quantify quickly to decision-makers

Explain why/how your suggested solutions work, to a non-techy audience. 

CyberTech 2020: Insights From Eli Migdal (Part 1)

CyberTech 2020: Insights From Eli Migdal (Part 1)

Our founder Eli Migdal attended the CyberTech 2020 event. In this video, he is discussing the biggest issue cybersecurity is facing right now – response times to new threats. 

He explains that the issue isn’t in lack of solutions and that there are numerous vendors that are working on different solutions for the same problem. He further stated that he counted at least 15 cybertech companies that are working on solving fraud detection and breaches, which gives him the perfect opportunity to address a rather pressing issue – choosing the right solution.

“How can we quickly choose between them if there are so many solutions?”

Eli argues this is the tricky part of the cybersecurity business. There are different solutions that all work well for a particular issue, but which one is best? 

“As professionals, we still need to investigate those solutions.”

While a solution might sound good on paper, it will be clearer if it’s the right choice after having a proof of concept and evaluation. 

This process of determining the best solution cannot be sped up, but the process that follows can be. The solution cybersecurity experts choose needs to be presented in front of the board of directors. 

“We must make it quicker,” he says about the process of getting approval for the solution cannot wait, especially when there are so many threats to address and so many solutions to choose from. 

He explains that the risk of security and breach issues can be mitigated greatly if organisations move quickly enough. This means that the decisionmaking process of the board “must be quicker than the bad guy’s”. 

“We don’t have a technical solution problem […] the cybersecurity community can solve the majority of the problems; we just need to move quick enough.”

This means that we need to have the means to speed up the decisionmaking. When the decisionmaking is quicker than the bad guy’s decision-making process, we’ll be able to address cybersecurity before it becomes an issue. 

React quickly to cyber threats

IT Budgeting Practices that Deliver

IT Budgeting Practices that Deliver

IT Budgeting Practices that Deliver

IT budgets often seem to be preallocated and mostly aimed at regular operations only, according to Deloitte’s Global CIO survey. This poses an issue, as such allocation doesn’t leave much room for tech innovation. What little remains of the budget usually goes towards incremental changes. 

Yet, there are positive movements that show IT spending will increase if there are revenue opportunities, security concerns, or good business conditions, as reported TechRepublic’s IT Budget Research Report. Per the report, the top priorities include security, cloud computing, and employee training. 

So how can you get the board to approve the IT budget you need? Start by following these best practices:

1. Keep track of your spending

When you’re making your new annual IT budget, IT spending from previous years will help you determine where you had enough, had too much, and where funds were missing. Armed with data from previous years, you’ll be able to reallocate funds instead of just trying to get a budget increase. 

Showing the board that you are focusing on efficiency and doing what you can with the budget will help you get more of your plans approved. 

2. Show stakeholders that IT is more than utility

It’s not the board or decision-maker’s job to understand everything there is to know about IT and cybersecurity. They may have heard about the latest networking equipment or enquire about the cloud but not know how these technologies benefit the company. 

You need to show innovation and be the first to start the conversation about new technologies to show that IT isn’t just draining money. It’s your job to show IT’s value using your proposal. 

3. Show them risks and threats

Keep up to date on the current threats and risks that the company faces. This might be cybersecurity risks because you’re not using new security solutions, or because your employees lack training in how to identify possible email phishing scams. 

Keeping track of the threats to the business properly with firm reasoning and justification will help decision-makers understand why you need more funds. 

4. Calculate the financial impact of skipping on new technology

Just telling them there’s inherent risk of a security breach is not enough though. The best way to communicate risk is showing them the actual financial impact numbers. 

For example, you can show them how much it will cost to stick to the current technology stack. Then, make a comparison of using new technology – like cloud solutions – and how much less it would cost over time.

This way, even when implementation costs are high, you have the numbers to back up your claim of long-term savings.

5. Use Numbers AND visuals

While spreadsheets are the most common way to keep track of IT budgets, they aren’t the best option when presenting budgets to the board because they are time-consuming and hard to interpret in a meeting. 

Instead, turn the numbers into visuals so they can see at a glance what you’re talking about. It makes you more impactful and they’ll appreciate not having to try and figure it out from a spreadsheet.

Screenshot of the Boardish dashboard visuals

When looking at best IT budgeting practices, it’s important to remember that IT should always align with company goals, and there’s no better way to communicate this than by ensuring your IT budgeting is efficient, saves money in the long run, and easily shows the board where the focus of IT spending should go to.

Improve Business Reactivity

When technology meets ‘bottom line’, There’s Boardish.

Why Are IT Budgets Hard to Get Approved (and How to Make It Easier)?

Why Are IT Budgets Hard to Get Approved? (and How to Make It Easier)

Why Are IT Budgets Hard to Get Approved

As the time to get the IT budget drawn up nears, it can be stressful to think of ways to get it approved. Many organistions are not prioritising IT and this can make approvals harder and harder. But why is this? 

Recent statistics show that IT budgets are growing steadily, yet the allocation of those budgets is still heavily in favor of operational tasks. As a result, little is left for innovation, change, and protecting against risk. This poses a real issue, as companies that keep the status quo in their IT often get left behind their competition and fall victim to the ever advancing cyber crime.

But the C-suite may not understand this. 

So why are IT budget Approvals such an issue?

There seems to be a gap between what the board has in mind for IT and what IT professionals feel is needed. These issues most often boil down to having vastly different priorities and not seeing eye to eye. There are several reasons why it comes to that: 

1. IT is seen as a drain 

The biggest problem with IT budgets and the whole approval process is that they are seen as an unnecessary drain on the budget. When the board can’t seem to understand just what you are doing with the budget, it’s hard to justify it at all.  

2. The board doesn’t know that IT contributes to revenue

There is rarely a direct correlation between IT budget and sales (i.e., revenue generation), and return on investment isn’t as apparent as with other departments. As an IT pro, it’s your job to shed light on that correlation. 

Basically, the questions you want to answer are: 

  • How are you improving customer experience? 
  • How is IT helping with more sales? 
  • Will your IT plans improve production?
  • How are you improving efficiency? 
  • How are you reducing business risks?

3. It’s difficult to present hard numbers

Another reason why it’s hard is because the very nature of the work you do is hard to quantify: How can you put numbers of the skills and expertise you have in your IT department? How does that translate into a figure that the board will understand? Can you quantify risk reduction or potential risk impact? How can you justify everyone’s role in the department?  

4. There are issues in communication between IT and the board

Failure in communication is another reason why budgets seem to be stuck. When you don’t speak the board’s language, you will always experience a disconnect when you talk to board members. 

They will talk analysis and business risk. On the other hand, you will talk about new technology, specifications, and why it’s better than what you already have. This causes a miscommunication and means getting approvals is a much longer process. 

5. Budgets are seen as operational only

Another issue with approval is that budgets are often predetermined. This most often happens when the board is viewing IT as a strictly operational asset – one that is there just to keep things working instead of making it possible to improve business, increase revenue, and reduce risk. 

6. Board response is slow

The environment nowadays is changing much faster, with many companies needing to adopt lean and agile methods to keep up. And IT seems to be left behind. The board is often set in its ways and just keeps IT budgets the same, although some of the technology might already have reached the end of its life cycle.

So how can you make the approval process easier?

You might feel it’s frustrating to deal with so many hurdles, that there is no way around it .The most important thing to remember, however, is that the IT department is a crucial factor in any business. This is especially true nowadays when all businesses are so reliant on technology and the ability to protect it.

Therefore, the IT department’s role is supporting business operations and growth. One way to do this is to adapt your IT budget pitching so it gets approved. Here’s a few pointers on how to make the approval easier: 

1. The IT goals should align with business goals. 

While it might be more natural to talk about technology, tech talk will often fall on deaf ears when you’re speaking in front of the board. Cybersecurity issues will stay poorly defined threats until you can present some real numbers. 

So instead of simply saying that operations will be safer, talk about risk and gain – how you reduce risk, how the new tech helps in that, and what the business will gain from new tech – in terms of revenue or savings. 

2. Skip sheets, use visuals when pitching the IT budget

Use tools that will let you present your data in a way the board will understand. While many IT pros will stick to presenting a sheet with numbers only, these rarely help as it’s hard to visualise the actual impact. 

The better option here is to help the board visualise the possible gains. You can use tools that will generate the most important insights as soon as you input all the data and help you prepare charts and visuals that are easy to read and remember. 

3. Run possible scenarios 

A great way to get the board’s support and attention is the use of your organisation’s real data to present possible future risks. 

Instead of just saying there’s a possibility of a data breach, show instead how likely it is to experience a breach and how long it would take to detect it. 

Then, present a solution for the breach threat and show the new numbers – how much more unlikely it will become, how much faster you can detect it, and how much less of an impact it will have on revenue. 

There are already free tools like Boardish out there that help IT professionals run actual scenarios in front of the board and adjust them at any time, so the board sees the impact of proposed IT changes right then and there.

4. Give them something tangible 

The board will often disagree on your IT proposal if you want to implement new tools and software, especially if it’s a big and expensive project like moving to the cloud. 

Instead of staying focused on the cost of implementation, you should present them with the cost of NOT implementing such systems. 

For example, the cost of keeping your on-premise equipment vs. the cost of moving everything to the cloud. With on-premise systems, there is a much higher risk of breakdowns and downtime than with cloud systems and with cloud you get greater flexibility. 

In this scenario, you could explore the need to manually upgrade your on-premise systems, working on implementing redundancy solutions and the cost of overhead and utilities that come with on-premise systems. Then, you can compare all of that maintenance cost with the cost of moving to the cloud and ongoing costs of using a cloud-based system. This way, the board will see that in the long-run, moving to the cloud will save them a lot of money. 

5. Be transparent 

Avoid presenting your solutions as the perfect way to solve the issue! The market shifts happen frequently, and so do shifts in the cybersecurity and technology sector. With new technology and threats, you might have to adjust your solution, so make sure the board understands the need to be agile. 

GDPR, for example, disrupted the security sector to the very core, with many businesses risking fines because they just weren’t ready for such a shift. Adjusting all operations to new regulatory requirements demands that you have enough leeway in your IT budget to react to such changes on time. 

Conclusion

Remember that no matter how good you are as an IT professional, the board of directors are the ones who make the final decisions. Making sure you’re seeing eye to eye with them is crucial in getting your IT budget approved. 

So make sure you use all the tools in your arsenal to show them clear visuals. This way, you can present scenarios on how your projects help keep the company safe from threats, reduce risk, and increase efficiency. Most importantly, let them see that IT helps generate more revenue and protect against risk. 

Improve Business Reactivity

When technology meets ‘bottom line’, There’s Boardish.

10 Pro Tips for Pitching Your IT Budget

10 Pro Tips for Pitching Your IT Budget

10 Pro Tips for Pitching Your IT Budget​

The success rate of pitching your IT budget depends on how well you prepare for the pitch. You might have lots of new projects you wish to pursue, but what happens if you don’t get approval? 

The following 10 tips will help you secure a successful pitch.

1. Determine Board Expectations

The board’s budget expectations are a crucial factor that determines whether you’ll get what you’re asking for or not. 

Those expectations depend on current company earnings (good earnings equal budget increases, while a slow year might mean cutbacks), overall economic climate, and the importance of your department within the company. 

But most importantly it’s understanding what the board expects for the budget. How does the board want IT to facilitate business needs? Understand these expectations and you’re likely to formulate a budget that’s more successful.

2. Gather C-Suite Intel

The corporate level is your go-to source of relevant budget information before pitching your IT budget

Corporate executives will have already set up a general budget for the upcoming period and you can use this as a guideline. It will tell you whether you can request an increase, if it’s better to wait and allow you to test the waters. 

3. Align IT Priorities with Business Priorities

A dialogue with c-suite executives will also shed light on current business priorities – what’s the most crucial goal to accomplish – and you can tune the budget towards achieving that goal. 

You’ll have a much easier time pitching your IT budget if your priorities are aligned with the overall business priorities. 

Make it clear that your IT spending is in service of achieving long-term business goals.

4. Have a Strategy for Every Amount

If you’re looking for a 15% increase when pitching your IT budget, you can’t expect to get it approved if you don’t have a plan/strategy on what you will do with that budget. As much as you’d like a ‘buffer’ in your budget, be prepared to quantify where every amount goes, the board shouldn’t have to guess whether you will utilise these 15% in a good or bad way. 

5. Treat the Budget Like Your Own Funds

Many professionals, not just IT managers, seem to have an easy time spending company money without a second thought. It’s not yours anyway, right? 

This is the worst possible stance on it! You have to treat your budget exactly as if it were your own money and show responsibility. 

Instead of just asking for more because you didn’t have enough in the last quarter, look for alternative approaches is there a way to stretch the current budget so it will be enough? What are some areas where you can save?

6. No Need to Spend Everything

Are you spending every penny in your budget even if you don’t have to? Do you fear you will get less next time if the board sees that you can do well with less? 

Fear of cuts doesn’t justify spending everything just for the sake of it. Show the board that you know what you’re doing with the money you have and are working hard to save wherever possible. 

That way, when you ask for more, you’ll have developed more of an authority to justify it. 

7. Gather Team Input

Your IT team will have firsthand experience on what they are spending on most, as well as why. Is there a particular department that constantly needs new hardware, or perhaps you’ve recently implemented an upgrade which is why you’ve spent more of your budget this year. Get information directly from the source and ask them about hardware, software, training, and what they think should have the highest priority and why.

8. Check Company-Wide

Conduct interviews and surveys, and invite the staff to offer suggestions and observations they had during different tasks and projects. Did they have a hard time accessing data because your data centres are not consolidated? Or perhaps they had issues with outdated software? 

You will have to make difficult choices when determining priorities, but this way you’ll have a much better overview of what to address first. 

9. Have a Backup Plan

You might not get approval for everything you requested, so before pitching your IT budget, determine what you can go without. Will you cut on everything ongoing and project expenses or will you cross off a project or two off the list?  

10. Be Ready to Scale Down

Unforeseen circumstances can strike a business at any time, so make sure to have a plan in place in case you’re asked to reduce spending mid-year because of lower earnings or business specific issues.

Pitching your IT budget

Pitching your IT budget is the easy part, it’s the preparation before pitching that you should focus on. When you have data from all relevant sources the board, your team, and company standings you’ll have an easier time aligning your budget with company needs and getting approval. 

Improve Business Reactivity

When technology meets ‘bottom line’, There’s Boardish.

Before Approaching The Board With An IT Proposal​

Before Approaching The Board With An IT Proposal

When Should You Approach The Board With an IT Proposal
Every company wishes to be profitable, and in their pursuit of profits, it is not uncommon for businesses to push IT needs aside. As a CTO or IT manager of your company, it is your job to make sure the company IT requirements, both long and short term, are met by pitching IT proposals to the board.

This often requires you to stand in front of the Board of Directors and explain just why you need new software, new devices, new frameworks, new workstations, and above all, why cybersecurity should be more detailed than just having firewalls. Most of the time, however, the board might not be aware of just how detrimental it can be to push these needs aside, and that it can put the future of the company at stake, especially if there’s a data breach. 

 

What To Think About:

Your IT proposal idea – investing in a new encryption system for example – might seem like a logical choice, but never forget that staff, time, and money are limited, so the board will be very selective with their approval. 

Most IT proposal ideas come to you from observing daily work and seeing how it can be improved. For your proposal to be successful, you will need to define a problem that exists and then propose your solution. For example, you find that you don’t have a good overview of how data is shared within your company and who has access to it, so you’re looking for a security solution that will categorise data, restructure access, and give you a central hub from which you can monitor everything.

To get approval, you will always need to include a detailed project description, as well as the benefits, costs, plan and time scale, risk assessment, and resources needed for it. 

 

Know Your Audience

Before you even approach the board, learn a thing or two about the members: 

  • What kind of background are they coming from? HR, Finance etc.
  • What are their stances on current IT security systems? How much do they use the current system?
  • Are any of them from an IT background or a sector related to IT? How much will they understand? 
  • How affected will they be by your proposed changes? Will it make their lives easier or cause a longer process for them?
With this in mind you’ll know how to tailor your IT proposal to talk specifically to them and foresee any pain points that may come up and address them first. 
 

A Matter Of Perspective

You then need to consider the board’s point of view when it comes to your proposal and where the company is right now. If the company is looking at growth, innovative proposals will probably be better received. On the other hand, if the company is struggling, on the essentials will be considered. You’re likely to get something like the following three questions no matter the perspective: 

  • How big of an impact will the proposal have on the budget? 
  • How much risk is involved for the company, with or without the proposed implementation? 
  • How fast will they see the investment returned?  (or how quickly will the protection be in place) 
 

Remember To Take Small Steps

One of the biggest mistakes you can do is present an IT project that will require a complete overhaul of all processes and operations. These overhauls are disruptive to regular operations and are most often disapproved because business could very likely suffer in all areas.

Rather than present a complete reorganisation of the business, unless it’s absolutely essential, break it down into smaller projects and propose different, less-impactful stages with a long-term goal in mind. 

 

Speak Their Language

Your next step should be finding a way to present your solution so that it’s in line with company goals. The crucial elements of the project that you have to include are as follows: 

  • What is the background of the current problem? Present in detail what the problem is about; for example, how does data access affect the risk of a data breach? Provide statistics on data breach costs and lack of technology to detect it early. 
  • How will your proposal solve that problem? List goals, objectives, and expected outcomes. If possible, offer a complete solution that will track data access in real time and detect anomalies.
  • What are the  pros and cons of your solution? What are the project strengths, and what weaknesses do you expect? 
  • Can this solution be adjusted as needed? Research reliability and scaleability. 
  • What is the time scale of the project? 
  • What kind of impact will it have on operations?
  • What are the projected costs? Consider the initial costs for implementation and the recurring costs afterwards. Also present how much projected savings your proposed implementation will bring in the long run. 

Without a detailed breakdown of such information, the board will have a hard time determining whether the project is actually worth it. To put it in perspective, explain how high the risk of NOT implementing the solution really is. Having your solution implemented means a data breach can be completely avoided. Without a solution that classifies and protects data, the costs will be huge and can ruin the company. 

ROI and risk assessment are the deciding factors, so your IT proposal should emphasise current costs, new project costs, savings, profits, and how your solution lowers future business risks. If you have that, you will get approved easily. 

 
 

Improve Business Reactivity

When technology meets ‘bottom line’, There’s Boardish.

8 Types of Statistics You Need For Your Next Board Meeting

8 Types Of Statistics You Need For Your Next Board Meeting

Board Meeting statistics
Organisations tend to push IT proposals aside, often in favour of departments that can provide more tangible results. Yet the health of the IT infrastructure is an important building block of a successful organisation. This is the key takeaway that your board of directors should understand when you finish presenting your IT proposal in a board meeting. Statistics can help you achieve this. If you’re wondering how to make your IT proposal more influential and get everyone on board (pun intended) with it, here are eight useful tips about proposal statistics that will help you.

#1 Make Statistics Relevant

Statistics provide an in-depth look at the current state of affairs and are a good starting point to showcase just how your solution can make it better. Back up every statement you make when presenting your IT proposal with statistical data: detail your current operations and IT structure, highlight the current issue, and present supporting evidence and figures. If you wish to implement new security solutions to the whole IT framework, explain what’s wrong with the current setup. For example, you have a significant amount of unstructured data that makes it hard to analyse and monitor everything. Show them statistics on how businesses without centralised data have a hard time protecting it.

#2 Statistics Provide A Fuller Picture

Staying ahead of your competitors is intertwined with staying on top of the latest technological trends, and it’s hard to keep up if you’re not an IT professional. This is why you shouldn’t stop at statistics about improving security and business operations in your organisation. Give the board statistics that highlight a full picture of how your IT solutions will affect their position on the market. How will they strengthen it? Will they shift power levels compared to the competitors?

#3 Use Their Point Of View – What Metrics Matter The Most?

This is the basic “what’s in it for me?” question. What is the most important thing to them? To make sure the organisation remains profitable. How does your proposal help with that? Avoid being overly technical: explain how your proposed IT solution works, and then focus on benefits. Expect a “why fix if it ain’t broken” remark along the way, and prepare your statistics accordingly. For example, why would you invest in additional security measures if you’ve never had a security breach? You have to explain that data breaches have to be detected, and without the right solution, it’s very hard to determine whether your data is being leaked or not. The latest example of Marriot shows that it can go on for years before being discovered. Statistics from other organisations showing losses, the business impact, and the true cost of a threat can be the numbers that the board needs to see what they could be exposing themselves to.

#4 Prepare Data-Driven Answers To Their Pain Points

Prepare answers for the biggest pain points of implementing new IT solutions: downtime, costs, and the risks of not implementing the solutions you suggest. For some businesses, downtime is just not acceptable in any shape or form. To get them on board with your idea even if downtime is required, explain how much it would cost to do nothing in the long run. Prepare statistical data on the costs of implementation and switching to a new system vs. costs of continuing using the old system over the course of five years, and present long-term outcomes. You might want to invest in a system that can give you real-time statistics for such scenarios. When they see the numbers in real-time, it will be easier to convince them.

#5 Alignment On Goals Is The Most Important Thing

It all boils down to whether your proposal aligns with the business goals. Find out which goals are most important, and then you can provide relevant statistics on how the implementation of your solution helps achieve those goals faster.

#6 Show Them Numbers On Disruptive Technology

New and better ways of doing things pop up almost every day, and it’s hard to keep up without investing in new solutions. Emphasise that those solutions are now cloud-based, which brings costs down considerably when compared to traditional in-house settings. This also makes them highly adaptable to your needs – if you need to scale up, they will scale up; if you need to take it down a notch, you can do that too, and the pricing will follow accordingly. This gives the company the much-needed agility to quickly respond to shifts in business environments.

#7 Present Opportunities

Follow up by quantifying the benefits of implementing your solution, for example, how much better security, lower costs, by how much? , quick adaptation to changes, how quick?, faster and less disruptive security updates, and so on.

#8 Also Mention Dangers

Explain that your solution doesn’t come without risks. List those risks, as well as ballpark numbers on the likelihood that they happen, and present backup plans for each. Statistics are one of the best ways on how to make your IT proposal more influential and help you ace your board meeting.

Improve Business Reactivity

When technology meets ‘bottom line’, There’s Boardish.

IT Project Proposal Essentials For Your Next Board Meeting

IT Project Proposal Essentials For Your Next Board Meeting

IT Project Proposal Essentials

There are IT project proposal essentials that you need if you want to be successful and get your IT budget approved. The best proposals have a detailed layout that answers all questions and pain points the board might have, in a language that they understand.

The main reason why IT project proposals, in general, fail is a lack of understanding on both sides. There is often a wide gap in communication between the board members and the IT team.

We can be led astray by assuming that the people we are presenting our proposal to share the same agenda, values, and needs, and this can’t be further away from the truth.

Your board members are not part of your IT team, and they will not have knowledge of the latest risks, threats, and developments. This is something that you have to lay out in your project proposal.

Here are the IT project proposal essentials that you should include:

Summary

Give them the most basic information at a quick glance. This should include the project name, purpose, and the key points you want to get across. People have a tendency to skim read and the summary is the first place they’ll look. Keep it brief, but give them the best bits.

Organisational Fit And Compliance

Make sure to explain how your solution fits in with the organisation’s strategy and long-term goals, and list all compliance requirements it should adhere to. Of course, you also want to provide proof that it is compliant with business and industry standards.

Then discuss the goals of your IT project, and define your objectives clearly. What do you expect from the project, what kind of outcome? What deliverables can they expect? Who will be the beneficiaries? Don’t just stick to the IT department, talk about it as an organisational whole. What are you trying to achieve for the business, and how does this tie in with their own business goals?

Costs & Benefits

Without tangible benefits, your proposal won’t be approved. You need to quantify the risks and the solutions of what you’re proposing and not only the benefits but what would happen if they don’t go for your approval. Present industry statistics here; for example:

How much business has improved for others who implemented the solution?
What kind of value does your proposal provide?
How does it affect current operations? Will the company be able to increase revenue? Does your solution provide cost savings?
What is the cost of missing out?
Remember that it’s likely that your resources are limited, so you will have to present a very solid case on why money should be spent on your IT solutions over other parts of the business. Any numerical data you mention here should be easy to understand. List your proposed budget, cost of implementation, and any ongoing costs. If your solution requires addition IT staff, know how to justify the costs that come with it.

Key Tip: Being transparent builds a good relationship with the board. They don’t like to approve projects to find out they actually cost a lot more in reality! Get really specific and detailed with costs, making sure they are accurate!

Disruption

One of the key IT proposal essentials that managers tend to forget is discussing the business impact during implementation. Is there going to be any downtime during implementation? For example: 

  • If you’re implementing new IT security solutions, will you have to install some new software on each workstation?
  • Is there going to be any type of setup involved once install is finished? How long will it take?
  • Will the business have to be offline at any point and therefore unable to take payments?
  • Are you planning to work on a weekend to avoid disruption but this has increased costs?
 

Risk

Never, ever sugar coat your proposal! If there are risks with your proposed solution, make sure you identify them, list them, and detail how to manage and mitigate them. It’s not a bad idea to have a documented escalation path in case something goes wrong, as well as solutions like project monitoring and progress reporting to keep track of the project implementation. Things rarely go smoothly so this covers all bases, just in case, and shows the board you’re looking at the project as a whole, rather than isolating into your department.

Time Scale

Present the time table for the project, including start and end dates, project phases, and milestones to reach. Never list ideal circumstances. Give your project ample time for each phase, because things never work out ideally, no matter how well you prepare everything.

Assessment

Finally, provide evidence that your solution is the best course of action. Give a good overview of the current system (or lack of) and explain why you should move away from it. Include some alternative solutions too, and explain why they are not such a good fit. Some board members might ask why change anything in the first place, so make sure you explain why doing nothing is a bad course of action (for example, competitors are never idle, IT systems continually evolve, etc.).

Visualisations

Meetings can be boring and graphs, charts, and diagrams can provide an excellent break and showcase what you want to get across instantly! Check out Boardish to see how it quantifies all of the data you need for your proposal, as well as sharing some interesting visuals you can use in your IT project proposal.

Just remember, before you start drafting your IT project proposal, always double check that you have all the IT project proposal essentials written down and then you’ll be ready for anything.

Improve Business Reactivity

When technology meets ‘bottom line’, There’s Boardish.