How to Quantify Cyber Threats as a CISO in 2020

How to Quantify Cyber Threats as a CISO in 2020

The recently released Internet Organised Crime Threat Assessment (IOCTA) for 2019 by Europol shows that the threat landscape has matured, and key threats have grown in persistence and tenacity. 

The report confirms that destructive ransomware threat remains high. Phishing, spear-phishing, and vulnerable remote desktop protocols have been identified as the primary infection vectors. 

Such a threat landscape requires continuous efforts in the identification of main cyber threats to the organization and how much damage they can do. 

CISOs need to be prepared for 2020 and coordinate their security efforts with the board and their company goals. 

Communicating cyber threats in the board’s language—exact figures and business impact—requires a way to quantify these threats. 

To quantify these cyber threats, CISOs require greater access to the organization’s key financial data and other indicators.   

#1 Identifying the biggest threats and their financial impact on the company 

Identification of the largest cyber threats seems to be the biggest hurdle in presenting cyber risk and exposure, mainly due to the fragmentation of digital solutions in organizations.

According to Deloitte’s Future of Cyber Survey, 41% of CISOs state that Shadow IT presents the most challenging aspect of cybersecurity management in the organization, followed closely by  37% of CISO stating cyber transformation presents a large challenge.

Shadow IT makes it challenging to quantify cyber risk, as there is no overview of all systems. This makes it next to impossible to get a good snapshot of organizational cyber maturity or security posture. 

When the departments integrate digital solutions on their own, there is no alignment of IT with critical business goals. 

How does it relate to quantifying cyber threats? 

The board requires a good overview of the maximum potential threat so they can make the right risk assessments. Getting ShadowIT under control is the primary objective to be able to deliver such assessments. 

Simply saying the largest cyber risk (such as data leakage or breach) will cost the company millions, destroy it, or have far-reaching consequences is not enough anymore. 

How much would the cyber incident cost if left as is? 

How much would your solution cost? 

How much exposure would remain after implementing the solution? 

Would your solution be a sound decision, from a financial standpoint?

Speak in actual numbers that affect the company, not industry averages.

 

#2 Getting access to the company turnover figures

Back in the day, CTOs and sysadmins, as they were called in smaller companies, had nothing to do with turnover figures or any type of financial statements outside of the realm of IT. Times have changed, and nowadays, cybersecurity is an integral part of every company. 

With digital systems running in every department, the CISO requires a full overview of each of them to devise a data and information security strategy that will minimise risk and make the organisation more resilient to threats. 

How does it relate to quantifying cyber threats? 

Nowadays, CISOs must have access to company turnover figures in order to be able to quantify risk in terms that the board will understand. If the board wants to talk about cyber threat risk figures, you must show them how cyber threats will affect the organisation’s turnover. 

The profit/loss reports would give better insight, but these are impossible to get if you’re not in a directorial position. Instead, focus on getting company turnover numbers to build your case.

 

#3 Presenting the impact of technology issues on employees 

To get a clearer picture of how a cybersecurity incident will affect employees, it’s best to separate users as high, medium, and low impact. 

Technology issues won’t affect all users in the company in the same manner. 

Some will experience only mild inconveniences but be able to continue working. 

Some won’t be affected at all.

Some, however, won’t be able to do a single thing until the issue is resolved. 

How does this relate to quantifying cyber threats? 

Quantifying the impact of cyber risk depends heavily on how your operations will take a blow. When you have a clear picture of how dependent your users are on technology, you will be able to calculate the impact. 

If users can’t do their job at all—high impact users—it means their operations are standing still, which makes the risk and its cost greater. 

If users aren’t that affected, the cost will be lower too.

 

#4 Presenting the financial impact of “downtime” on the company’s salaries 

The amount of high, medium, and low impact users determines more than just the extent of the impact. It also shows how much downtime will cost in terms of salaries—how much it will cost the organization that these employees won’t be able to work. 

How does this relate to quantifying cyber threats? 

Even if employees can’t work because of the security incident that needs to be resolved, they will still get their salary for the day. How much will this add to the total cost of the security incident? 

You don’t need exact figures for every possible employee you hire, of course, but having an idea of salary averages will help you determine this cost. 

To get some idea on salary figures, ask the CFO or somebody in the financial department. You might even want to use external resources that can give you averages, such as Glassdoor.

 

#5 Determining the financial impact of “downtime” on the company’s sales 

Most of the time, cybersecurity incidents have the greatest impact on company sales, since the sales processes are heavily dependent on technology. Your e-commerce stores won’t bring you any sales if the servers are under attack or if payment processing is down. 

How does this relate to quantifying cyber threats? 

While sales aren’t your responsibility, the impact of cyber threats on sales falls within your role. CISOs have the responsibility to communicate the impact of cyber threats on sales and present the costs of worst-case scenarios. 

How many turnover days will the company lose in case of threat X? 

Within each turnover days, what percentage of sales will go down the drain? 

What is the chance of losing market positioning in case of threat X?

To provide relevant numbers, you must include the Sales team, and any other team related to sales to give you the required information on how market positioning and sales will be affected in worst-case scenarios.

 

What is the financial impact of IT regulations? 

Information and data are top targets of cyberattacks, and all companies are under strict regulations on how to protect it, no matter what industry you are in. 

Take GDPR as an example—the data protection act lists extremely high fines for companies that do not take necessary measures when it comes to personally identifiable information (PII). 

How does this relate to quantifying cyber threats? 

CISOs must quantify the impact of all regulations pertaining to the company in case of worst-case scenarios. The GDPR, for example, has extremely high fines. Depending on which is greater, the company might face fines of 20 million euros or 4% of its annual revenue in case of a data breach and must be included into the potential financial impact of cyber threats. 

Most companies won’t stand a chance of recovery from such high fines.

 

What is the efficiency of my solutions against the biggest cyber threats? 

After presenting cyber threats that are most likely to affect the company, CISOs must also present the solution. To sell the solution, you must quantify them too—their immediate and annual costs, in comparison to the costs of the threat they are solving. 

In addition, there is also the efficiency factor of the solution—how much of the risk will it mitigate, and how much exposure would remain? 

The efficiency of the solution depends on the threat type and environment. Is it prem? Is it in the cloud? 

There are very few scenarios where a cyber solution will have 100% efficiency so decision-makers need to see the exposure left and weigh up the risk factor themselves. 

How does this relate to quantifying cyber threats? 

The reason why CISOs must quantify cyber threats is to put the costs in perspective when compared to the costs of efficient solutions. 

Solution efficiency and cost help them justify investments that will improve the company’s resilience and overall security posture. 

It is likely that CISOs will have more than one solution to mitigating the biggest threats, with each of them having different efficiency depending on the environment. 

Showing the summed up costs of solutions versus the cost of a security incident without solutions will help the board understand just how much a security incident can set the company back.

 

Conclusion: 

For 2020, CISOs must answer critical business questions clearly and speak in exact figures. They must quantify cyber threats and present solutions in terms of how they help maintain critical business strategy and operations. 

With Boardish – boardish.io – CISOs will have access to a tool that helps them quantify cyber threats quickly, without having to deploy anything on-premise or grant access to their systems. 

CISOs must work together with all departments and get all relevant information to present real threats in real numbers. 

Boardish can help them create a snapshot of their company and help them run scenarios of different threats and their financial and market impact. 

Let 2020 be the year of real numbers!

Quantify Cyber Threats & Solutions

And get your IT budget approved quicker!

How Are New Cyber Threats and Regulations Affecting the IT Budget?

How Are New Cyber Threats and Regulations Affecting the IT Budget?

How Are New Cyber Threats and Regulations Affecting the IT Budget

Recent cyberattacks, are pushing organisations to invest more into their cybersecurity solutions. For example, the ransomware attack on the Eurofins Forensic Services which stopping court cases and investigations dead in its tracks, creating a backlog of 20,000 samples. 

Add this to new regulations directly needing organisations to up their cyber security or face huge fines and you have a greater importance on cyber solutions and therefore your IT budget. 

Here’s how recent developments (both good and bad) in trends, business, and legislation are affecting the IT budget. 

Changes to the IT budget 

IT budgets are seeing shifts in allocation segments due to new cyber threats and regulations affecting businesses across the board. 

GDPR

GDPR compliance continues to be a pressing concern for institutions dealing with sensitive information, affecting SMBs and enterprises alike. Gartner has identified that at least 30 percent of businesses will increase GDPR-related spending by investing in implementation services and consultations with security specialists.  

Implementation of security solutions enabling an increase in control over sensitive data and a better overview of how it’s accessed will be the primary concern, especially in cloud environments that enable remote access to sensitive data. 

Upgrading Legacy Systems

Spiceworks identified outdated technology as the primary reason for IT budget increases, followed closely by security upgrades due to incidents. While EU-based organisations are focusing on GDPR compliance and are allocating additional funds towards security, North American organisations increase their budgets to upgrade outdated systems. 

Gartner also reports that subscription and managed services will comprise almost half of the security software used across institutions, with Security-as-a-Service seeing an increase in uptake over on-premise security solutions. 

Hybrid solutions (having both cloud and on-premise features) are being a serious consideration for many organisations. Still, on-premise deployment remains on top for now.

Increased Allocation on Cybersecurity in Budgets

IT budget spending on cybersecurity is expected to grow by 8.7% compared to only 3.2% growth in general IT spending. 

The most demanded security services will be identity and access management, data loss prevention and identity governance and administration.

What Should Be the Primary Focus for the Organisational IT Budget? 

Ensuring compliance with new regulations and identifying cyber threats that are the highest risk should be considered as a necessary first step towards a safer environment, both online and on-premise.

The risk assessment should be company-wide to ensure all risks are identified and all data locations are included. The IT department must work together with security specialists to determine the highest priority IT solutions to implement.  

Getting Approval from the Board Requires Preparation

Ensuring buy-in from board members is a crucial step in the process. Without their support, IT departments will struggle with ensuring compliance and implementing systems that deal with new cyber threats. 

Board member buy-in can be secured by educating them on the impact of identified risks and how new IT solutions minimise them. Showing real cyber security ROI. 

IT managers must ensure the board is knowledgeable of how much avoiding the issue can hurt the organisation by presenting scenarios where risks are quantified and presented in terms of financial and market impact.

Compliance to regulations often means upgrading existing systems or a complete overhaul of organisational operations, which requires substantial resources. Yet, it still remains the preferable option compared to paying high fines and suffering a huge setback. 

Get IT Budget Approval

Explain why/how your solutions work, to a non-techy audience. 

IT Managers Aligning IT with Business Goals Are More Likely to Get Budget Approvals

IT Managers Aligning IT with Business Goals Are More Likely to Get Budget Approvals

woman working from home

It’s not unusual to encounter a disconnect between a company’s IT department and its executive board. The two parties aren’t always aligned in their goals, and naturally, conflicts can arise. In these circumstances, finding common ground is essential.

For IT managers, priorities tend to centre on security risk management, compliance with regulations, system updates, and network maintenance. Technology is inherently expensive, and fulfilling the expectations of an IT department can come with substantial costs.

As an IT manager, approaching executive or financial departments may be intimidating. Colleagues in these roles might have opposing perspectives, tending to be more risk-averse and focused on minimising costs. This is not to their detriment; each department has its core objectives, and sometimes these will clash. 

What’s important is for each department to understand the other’s concerns, within the context of the company’s universal goals. 

For example, if a company-wide non-emergency software update is required, the finance department may initially turn down the IT manager’s request, because they perceive the costs to outweigh the benefits. However, if the IT manager explains that the software update will help employees to be more efficient, or for data to be better protected, or for proactive future-proofing, the risk balance begins to swing in favour of the IT manager’s request. 

It’s perilously easy to become entrenched in one’s own department, but tribalism isn’t an effective way for departments to coexist. Communication is key to aligning business goals. It can be helpful for representatives from each department to attend the other’s strategic meetings, and to engage in dialogue that brokers will better understand the rationale for funding requests, as well as the reasoning for their approval or rejection.

The use of risk appetite statements – which express the amount of risk a company is prepared to take in order to reach its goals – strengthens this dialogue. 

Taking everything on board, IT managers will be better placed to present their requests in a way that allows their financial and executive colleagues to understand the risks and benefits involved. Furthermore, finance managers will have greater understanding of operational context, helping them to avoid missing out on valuable opportunities due to misinterpretations of risk. 

Boardish.io provides a software solution that allows both parties to better visualise and analyse budget requests, and to issue approval decisions seamlessly.

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

Why Is There a Disconnect Between IT Professionals and the Board?

Why Is There a Disconnect Between IT Professionals and the Board?

Disconnect between IT Professionals and the Board

At the core of the disconnect between IT professionals and the board is a difference in language. On the cyber and IT side, discourse centres on security, regulations, and innovation. From the board, there’s more of an emphasis on finance, metrics, and business performance.

Ultimately, both sides are interested in mitigating risk. The IT side is more focused on threats from malware, ransomware, and data breaches, while the board is primarily concerned with risks to the core business, its ability to continue trading, and shareholders.

At face value, having a universal interest in minimising risk should facilitate mutual understanding. However, in practice, both parties can find difficulty in understanding the other’s perspective. For example, if an IT manager asks the board to approve new software designed to reduce the risk of a ransomware attack, the board might not be able to immediately visualise the risk to the company.

While they understand that there is a risk, its relation to other risks faced by the business is not clear – there are various degrees of risk in different situations. It’s on the IT department, therefore, to present their request in a way that’s unambiguous for the board. 

C-Suite Macro Focus

The board tends to take a macro view; that is, a broader perspective of the company. It’s main focal points are:

Finance

The board must manage a delicate financial balance at all times. Budget requests that make sense to an IT manager might not fit in with the financial planning of the board, unless they are provided with solid context. 

Remember that the board is responsible for the financial health of the entire company, so they might not be able to immediately visualise the rationale of a request in the same way as an IT manager with intricate knowledge of why it matters. 

Company Performance and Metrics

The board has a broad perspective of the company. In order to help executives understand whether or not whole-company performance is on track and objectives are being met, it must use standardised metrics. 

Unfortunately, metrics don’t always provide nuanced explanation. For example, a company’s IT department is likely to have a higher budget than other departments. Comparing these departments on one single metric might place the IT department as a risk in itself, as it’s not as efficient as other parts of the company. However, this metric doesn’t take into account the high costs of purchasing, maintaining, and updating equipment and software. It’s why context matters, and the responsibility for providing it falls to department managers. 

Shareholders

The board is ultimately responsible to the owners of the company. Depending on the size of the organisation, this might be anything from a single investor to thousands of shareholders. 

Every decision made by the board is accountable. Any decision that negatively impacts the company will need to be justified. That’s why the board performs thorough analysis of every request, to ensure that financial decisions are sound. 

What Does Risk Mean to the Board?

Risk is primarily a financial variable from the board’s perspective. A company cannot operate if it lacks financial viability, which is why numbers are so important to the board. Therefore, budget requests from an IT manager should centre financial risk to the company if action isn’t taken, alongside relevant context that’s specific to the department.

IT & Cyber Micro Focus

IT departments take a micro approach; that is, a detailed interest in cyber-specific matters, including:

Technological Threats

It almost goes without saying that an IT department will prioritise technology. It’s a broad concept, and in the modern workplace, cyber professionals will take a keen interest in preventing data breaches and malware attacks. 

It’s by no means a simple task. IT specialists must be one step ahead of potential threats, and taking protective action may be expensive. IT managers don’t make budget requests to the board frivolously; there’s always a reason behind an upgrade. However, this might not be immediately obvious to the board, so it’s imperative to express the risk in terms that are financially focused. 

Regulations

IT departments must comply with all pertinent local and international rules, regulations, and industry standards. Anyone involved in implementing the EU General Data Protection Regulation (GDPR) in 2018 knows that rolling out new procedures can be costly – both in terms of financial investment and human resources. 

However, the costs of regulatory non-compliance are even greater. In the case of GDPR, a fine of €10 million or 2% of global turnover – whichever is higher – applies to breaches; this rises to €20 million or 4% of global turnover in severe cases. 

Illustrative examples like this can be persuasive when making a request to the board. 

Corrective and Preventive Action

Lessons are learned all the time in business. A change of process needn’t be prompted by a catastrophic mistake – best practice can emerge from a variety of sources.

The important thing is to move quickly in response to new information. Taking prompt corrective and preventive action protects the company from financial risk. This is precisely how it should be presented to the board. 

What Does Risk Mean to the IT Department?

Any threat to the technology or network infrastructure is a risk for the IT department. So too is non-compliance with applicable regulations, which can come with heavy penalties. Finance might not be prominent in the minds of IT managers, but awareness when making budget applications is crucial. 

Bridging the Gap

In the past, IT has been seen as a bottomless pit for investment. This opinion is a consequence of incomplete understanding of risk at the executive level, and one of the reasons behind the disconnect between IT professionals and the board. In turn, misunderstanding stems from risk not being adequately quantified and explained by IT managers. Both sides would benefit, therefore, from better information. CTOs and CISOs are vital to managing this exchange of ideas.

It can be difficult to quantify cyber risk into tangible figures and statistics, especially if the adverse event hasn’t happened yet. Using the best data available to explain both the cost of the upgrade, and the cost if it isn’t approved makes a request more compelling. For example, a budget of £10,000 for an upgrade might seem steep to the board, but if an IT manager explains that the investment will save £500,000 in the long run, approval is far more likely. 

Boardish is a tool that bridges the disconnect between IT professionals and the board. Instead of juggling multiple spreadsheets, the Boardish algorithm quantifies IT risks and solutions from the perspective of financial impact. After entering information about the company, Boardish automatically analyses financial risk and quantifies the mitigating effect of proposed IT solutions. Data is presented in various visual formats, helping the board to make efficient, informed decisions that protect the company from cyber risk. 

Sell Cyber Solutions

Explain why/how your solutions work, to a non-techy audience. 

How Can You Quickly Quantify Risks for Your IT Budget?

How Can You Quickly Quantify Risks for Your IT Budget?

Quickly Quantify Risks for Your IT Budget

While IT budgets are increasing globally across industries, getting your IT budget approved is a major undertaking if you’re looking to get an increase. Which is likely int he current climate to implement new technologies and solutions.  

Getting approval for new tech is the hardest part because of the common cost-sensitivity of the board or decision-makers. Why should they pay a high cost without seeing actual figures on what they’ll get in return or properly see the benefit technology brings? 

Presenting actual numbers will help with approval, but only if you can present the cost of your IT budget against the cost of not eliminating existing risk factors. 

You must have a way to quantify risks in order to present their impact on the company, and here’s how you can do this: 

Do Your Research 

Understanding the risks that could affect the company – risks that the IT department could eliminate or mitigate – will help you determine the magnitude of damages, losses or incurred costs to the company. 

You must determine what events would trigger the highest damages to the company. For example, if you deal with lots of sensitive data but don’t have encryption set up well, your highest risk would probably be a data breach or leak. For starters, you should rank the list of risks on how likely they are to happen considering your current solutions for each.   

Determine the Financial Impact of the Risk 

Next, you want to see how heavily these risks would affect the bottom line. Take a look at the overall industry data on how much the possible risks cost on average. This will give you a good ballpark figure to work with. 

Then, take a look at what events have happened in the company’s past that had a negative impact on the bottom line to draw information on how much they could cost if they happened again. 

Now, you can rank the risks based on their financial impact too. This will help you compare their costs versus your proposed budget costs.  

Use Tools to Present Real-Time Impact

You don’t have to stick to spreadsheets and powerpoint presentations to present all possible risks and their costs for the company (it’s likely to take a while and be less accurate.) While they can help, they have a big issue: they are static and present scenarios that you thought could happen. 

How would you deal with the board members asking about a scenario you didn’t think of? Or what happens when the environment changes? 

You have to start over. 

Save yourself time and energy using a tool like Boardish. You can input the information and easily quantify your risks and solutions to present to the board. And run scenarios quickly and effectively. 

Now your organization has become proactive rather than reactive when it comes to threats. 

 Instead of guessing and working with ballpark figures, you could show them the real impact on revenue, loss of employees, reputation, and other segments.  

Such tools will help you drive your point across in a way the board will understand – how the risks will affect the company’s future and how far back it could set them. You’ll also be able to see how much each solution mitigates the threat in the cloud or on-prem! Giving a total view of impact on your orgnaization. 

Overall, Boardish is the quickest way to quantify IT and cyber risks, particularly when you’re trying to submit and IT budget proposal. See the boardish demo below: 

Become proactive, not reactive

Explain why/how your solutions work, to a non-techy audience. 

How to Make Sure the Board Understands Your IT Budget Proposal?

How to Make Sure the Board Understands Your IT Budget Proposal?

Board Understands Your IT Budget Proposal

The IT budget proposal process is difficult, and it often seems that the board and IT just don’t speak the same language. 

While you are explaining how encryption tools helps reduce risk and control access to sensitive data effectively. The board doesn’t seem to be that enthusiastic about implementing the new solution because it would cost more than the current one. 

How Can You Help the Board Understand Your IT Budget Proposal? 

By speaking their language, of course. 

When presenting your budget to the board, you must speak in terms they understand – how your IT budget proposal contributes to achieving the company mission. 

This means leaving out all the technical terms and complex technological concepts, and instead focusing on how your proposed solution will achieve their long-term goals faster and more efficiently. 

Everything during your presentation – from the current overview to detected issues and proposed solutions – should be presented in terms of how it’s affecting the company, not just IT. 

If the board can see the benefits clearly – be it in increased revenue, better efficiency, or lower risk – you’ll have a much easier time with getting your budget approved. 

Quantify The Risks The IT Budget Mitigates

For your IT budget proposal to be successful, you must give actual figures and quantify exactly what you need and why.  

Starting with your current security posture. Present the identified issues, bottlenecks, and risks, but do not simply say they exist or could happen. 

Present how likely risks are to happen, how bottlenecks are affecting the efficiency and revenue, how issues are affecting the customer experience—show real numbers and how much money is lost. 

After that, you should present your solutions in terms of in-depth costs of implementation vs. cost of leaving things as they are. 

For example: 

With the growing cybersecurity threats, security and privacy are a pressing concern for many CISOs. Instead of saying the company would face a negative impact from a data breach, be specific. 

The possible damages to the company should be presented in terms of revenue losses, market loss, fines, employee impact, loss of reputation, to name a few; otherwise, the board will assume that you will just lose data. 

By being specific, you can show just how expensive it is to stand still in terms of IT upgrades and how extensive the consequences can be.  

Presentation Matters 

Try making the presentation interactive; run possible scenarios and showcase their impact. Provide visualizations that are easy to see and digest! This will stop decision makers from switching off. 

Tools like Boardish can help you present real numbers, as you can quickly add possible risks and solutions and see how these translate to the company’s bottom line with interactive graphs and charts.

Bridge the Communication Gap

The hardest part of IT budget approval is making sure you and the board speak the same language. Use language they understand. Take their background into account when presenting your case, and explain in terms they use daily. Give them the figures to make an accurate and responsive decision based on actual financial impact, and you’ll have a much easier time getting your IT budget approved.  

 

Sell Cyber Solutions

Explain why/how your solutions work, to a non-techy audience. 

How Do You Prepare Your First IT Budget?

How Do You Prepare Your First IT Budget?

The main aim of preparing that first IT budget is presenting an IT strategy proposal with a determined value. 

The board can agree or disagree on the value you placed on the proposal, so it’s your job is to prepare the IT budget that the board will agree with. If you’ve never done this before, here are a few pointers on preparing your first IT budget.

1. You need to ask the right questions

Your first IT budget should give you a chance to demonstrate how you can improve things for the company. 

Take a look at how IT has been running until now, and then answer the following: 

  • Can you lower costs? 
  • How can you increase efficiency? 
  • Can you lower risk?
  • How can you increase security? 
  • In what order would you execute your IT plans? 
  • What is the most important priority?
  • How will your IT strategy over the next 12 months keep the business healthy, secure, and thriving? 

To get the board on your side, you will have to align your plans with theirs.

2. You need access to the right data

Data is your most valuable asset. If you’re new to this position, acquire data from previous years and see what your predecessor has been spending on the most. 

You might see how you would make things different immediately. 

If there are no previous budgets to look at and you’re in charge of making the first IT budget ever, then industry research on technology spending and budget allocation will provide a good measure of how you should set things up. 

3. Always involve others

You might be in charge of making your first IT budget, but you are not the only one in the IT department. 

Collaborate with other IT professionals and have quick meetings where you can gather their input on the most pressing matters. 

Invite them to articulate their needs and why they think their issue should be addressed first. You might find that you need more staff,  replace end-of-cycle gear, or improve your cybersecurity with a cyber risk employee training.

4. Present actual numbers

A budget that just demands is a budget set to fail. The strongest argument is one that’s backed up by actual numbers

When preparing your first IT budget, don’t just list how much money you need for each of your operational, ongoing, and capital costs. 

Think in terms of return on investment (ROI). When the board sees growth in revenue, or savings, or more efficient operations, you will find a common ground much faster. 

Don’t forget to quantify the IT and cyber risks and solutions to the decision-makers that the company could be facing. Doing this in financial impact is a language they will understand best (that’s where you should use Boardish!) 

5. Lead the board through possible scenarios

The number one reason why IT budgets are not approved is because the board doesn’t understand the inherent risk the company might be in. Not just cybersecurity risk, but business risks including a lack of mobility, unscalability etc. 

You can solve this by presenting several possible scenarios right then and there. The board members can see for themselves how much more it costs to keep outdated technology, bad security practices, or allow BYOD without any real policies for example. And this makes for faster, and more reactive decision making. 

Making the first IT budget requires some good research and analytical skills – get the needed data and analyse it. You don’t have to do everything alone. There’s plenty of tools that will assist you and help you get approval.

Improve Business Reactivity

When technology meets ‘bottom line’, There’s Boardish.

Average IT Budget by Company Size

Average IT Budget by Company Size

Average IT Budget by Company Size

The IT budget average is continuing its growth in 2020, with over 44% of companies planning to increase their IT budget – this is a 6% increase when compared to 2019, according to Spiceworks’ State of IT report for 2020

The Computer Economics IT Spending and Staffing Benchmarks 2019/2020 report showcases that the majority of IT organisations are taking active steps to move to the cloud, so they are increasing spending too. The ultimate goal is to take advantage of the benefits of cloud software and increase revenue this way. 

Gartner’s 2020 worldwide IT spending forecast details that $3.74 trillion will be spent on IT in 2019, while in 2020 that number will go up to $3.88 trillion. 

How much do companies spend on their IT budgets?

The percentage of spending that goes towards technology varies heavily from one industry to another. For example, a security firm will usually invest more heavily into IT than a construction business, although with the rise of the digital era and IT threats, that’s likely to change. 

The Spiceworks Report shows us that 44% – 63% of companies across all sizes expect budgets to increase, 21% – 31% expect no change and only 4-9% are actually decreasing their budgets in 2020 (the rest weren’t sure yet.). 

When looking at an IT budget breakdown depending on company size, Ailean Inc. did a study on U.S based companies that found small and medium-sized businesses spending around 6.9% of revenue, midsize companies spend around 4.1%, while larger companies spend around 3.2% of revenue on IT

It’s likely that because larger companies can benefit from economies of scale when it comes to licensing, packaging, and direct hardware discounts from re-sellers they are able to spend a lower percentage of revenue, even though their actual budgets will be a lot higher. 

How much Are IT Budgets Increasing?

This is backed by Computer Economics who surveyed businesses on how much they plan to spend on average across their three sizes and found that the IT budget by company size will see an increase for all three.

  • Small organisations with IT operational budgets that are smaller than $5 million.
  • Mid-size organisations with IT operational budgets between $5 million and $20 million.
  • Large enterprises with IT operational budgets that are at least $20 million or above.

What they found out is

Small organisations will be taking the lead this year with their IT operational budgets seeing an average increase of 3.5% across industries. 

Large enterprises follow suit with 3.2% increase, while mid-sized companies seem to experience the lowest increase with 3.0%. 

Across all sizes, the IT budget average increase will be 3.2% for 2020.

Overall

IT is getting more efficient with an average spend per user being lower when compared to the previous year. In 2019, for example, the average IT spend per user was $7,569, a decrease of 7.5% overall. 

New technology and software solutions that rely on cloud computing, automation, AI, and virtualisation make it possible to do more with less, and while the spend per user is lower, the employment trends are positive, with multiple new members being employed in each IT team. 

These findings arm you with with some solid proof on the current trends when it comes to IT spending. Still, you need to build a solid case for a budget increase and explain to those in charge why the proposed budget is important. The average IT budget by company size – how much they spend from the overall budget, and how much they plan to increase it – is a good starting point.

The Easier Way To Get Your IT budget Approved (No Matter the company size)

Boardish allows you to turn IT or cyber threats and solutions into financial figures so that you can compare your exact  IT budget against company turnover and revenue. 

This makes it easier for decision-makers to give you a quicker decision and fast-track the approval process. 

To try boardish completely free, visit: https://app.boardish.io/ to sign up.

Communicate your IT budget to decision-makers...

And get it approved much faster with Boardish!

10 Pro Tips for Pitching Your IT Budget

10 Pro Tips for Pitching Your IT Budget

10 Pro Tips for Pitching Your IT Budget​

The success rate of pitching your IT budget depends on how well you prepare for the pitch. You might have lots of new projects you wish to pursue, but what happens if you don’t get approval? 

The following 10 tips will help you secure a successful pitch.

1. Determine Board Expectations

The board’s budget expectations are a crucial factor that determines whether you’ll get what you’re asking for or not. 

Those expectations depend on current company earnings (good earnings equal budget increases, while a slow year might mean cutbacks), overall economic climate, and the importance of your department within the company. 

But most importantly it’s understanding what the board expects for the budget. How does the board want IT to facilitate business needs? Understand these expectations and you’re likely to formulate a budget that’s more successful.

2. Gather C-Suite Intel

The corporate level is your go-to source of relevant budget information before pitching your IT budget

Corporate executives will have already set up a general budget for the upcoming period and you can use this as a guideline. It will tell you whether you can request an increase, if it’s better to wait and allow you to test the waters. 

3. Align IT Priorities with Business Priorities

A dialogue with c-suite executives will also shed light on current business priorities – what’s the most crucial goal to accomplish – and you can tune the budget towards achieving that goal. 

You’ll have a much easier time pitching your IT budget if your priorities are aligned with the overall business priorities. 

Make it clear that your IT spending is in service of achieving long-term business goals.

4. Have a Strategy for Every Amount

If you’re looking for a 15% increase when pitching your IT budget, you can’t expect to get it approved if you don’t have a plan/strategy on what you will do with that budget. As much as you’d like a ‘buffer’ in your budget, be prepared to quantify where every amount goes, the board shouldn’t have to guess whether you will utilise these 15% in a good or bad way. 

5. Treat the Budget Like Your Own Funds

Many professionals, not just IT managers, seem to have an easy time spending company money without a second thought. It’s not yours anyway, right? 

This is the worst possible stance on it! You have to treat your budget exactly as if it were your own money and show responsibility. 

Instead of just asking for more because you didn’t have enough in the last quarter, look for alternative approaches is there a way to stretch the current budget so it will be enough? What are some areas where you can save?

6. No Need to Spend Everything

Are you spending every penny in your budget even if you don’t have to? Do you fear you will get less next time if the board sees that you can do well with less? 

Fear of cuts doesn’t justify spending everything just for the sake of it. Show the board that you know what you’re doing with the money you have and are working hard to save wherever possible. 

That way, when you ask for more, you’ll have developed more of an authority to justify it. 

7. Gather Team Input

Your IT team will have firsthand experience on what they are spending on most, as well as why. Is there a particular department that constantly needs new hardware, or perhaps you’ve recently implemented an upgrade which is why you’ve spent more of your budget this year. Get information directly from the source and ask them about hardware, software, training, and what they think should have the highest priority and why.

8. Check Company-Wide

Conduct interviews and surveys, and invite the staff to offer suggestions and observations they had during different tasks and projects. Did they have a hard time accessing data because your data centres are not consolidated? Or perhaps they had issues with outdated software? 

You will have to make difficult choices when determining priorities, but this way you’ll have a much better overview of what to address first. 

9. Have a Backup Plan

You might not get approval for everything you requested, so before pitching your IT budget, determine what you can go without. Will you cut on everything ongoing and project expenses or will you cross off a project or two off the list?  

10. Be Ready to Scale Down

Unforeseen circumstances can strike a business at any time, so make sure to have a plan in place in case you’re asked to reduce spending mid-year because of lower earnings or business specific issues.

Pitching your IT budget

Pitching your IT budget is the easy part, it’s the preparation before pitching that you should focus on. When you have data from all relevant sources the board, your team, and company standings you’ll have an easier time aligning your budget with company needs and getting approval. 

Improve Business Reactivity

When technology meets ‘bottom line’, There’s Boardish.

5 Budget Pitching Mistakes IT Managers Make

5 Budget Pitching Mistakes IT Managers Make

5 Budget Pitching Mistakes IT Managers Make

Presenting an IT budget for the decision makers in your company requires thoughtful planning and organisation. IT managers can improve the chances of their IT budget pitching to be successful by avoiding the following mistakes:

1. Not speaking the board's language

The board will not respond well if you only say that you need something. They need to understand why you need it, and how it helps the company in the long run. It’s not about explaining the technology and mechanisms used; it’s about the benefits.

Your ultimate goal is to showcase how the IT department will help the company save or make money, not how to spend more. And you have to communicate this to the board properly. 

Give them an overview of benefits and how it affects operations in the long-term, but don’t exclude possible risks associated with new tech and outages that might happen when upgrading. 

2. Taking the proposal to the wrong person

Make sure you’re presenting the IT budget proposal to those who can make decisions. Determining who has the final say in approving the budget depends on the size of the company. 

Small companies have a rather simple setup, and all budget pitching will be directed towards the owner. 

The bigger the company, the more stakeholders are involved. While the accounting team handles finances, it’s the board of directors who makes the final decision about proposed budgets. 

Other stakeholders, like corporate executives, can help you with numbers since they often create forecasts about upcoming financial metrics. 

3. Not taking numbers and statistics to back up

It seems that the upcoming years will be good for IT budget pitching

According to the State of IT report from Spiceworks, 89% of companies expect that their IT budgets will grow or be steady for 2019. Those that expect growth are looking at an increase of 20% on average. 

IT budgeting proposals without real numbers to back up your claims won’t enjoy a high success rate. Take the time to research the statistics and numbers and present them in easily digestible chunks. Use visuals to demonstrate savings or earnings that will be a direct result of the investments you wish to make.

4. Treating the IT budget as a wish list

You should never include every single item and project you can think of to your budget. Your IT budget represents your overall IT strategy

Your budget pitching shouldn’t revolve around things that would be “nice to have,” but things that will help the company reach their long-term goals faster. 

5. Artificially blowing up the budget

The board will quickly realise if you’re blowing the budget out of proportion. They will have numbers and statistics from earlier years and see the requested budget suddenly tripled. 

If you can’t back up the sudden increase, never go there, because you will lose trust and will never get anything approved. 

Stick to realistic amounts and help them understand why they make sense, what they deliver in the long-term, and why not implementing specific technology or measures right now might cost them more money in the future.

Budget Pitching

Budget pitching should always be done with a well-constructed, data-backed proposal that will show your executives how you will help them reach long-term goals. 

By avoiding the mistakes outlined here, you will have a greater chance to have your IT budget proposal approved by the board.

Improve Business Reactivity

When technology meets ‘bottom line’, There’s Boardish.