As a Cyber Security consultant, who is also the founder of two IT companies (TowerWatch Tech and Migdal Computing) I usually “get called” when there is a big issue, usually around my area of expertise which Data Classification, Encryption, and DLP. (Disclosure: I’m also the co-founder of Boardish)
So I’ve proposed a lot of IT & Cyber budgets. And the truth is, I pretty much get them all approved.
I rarely fail, and on the rare occasions a budget doesn’t get passed, it’s a matter of the board taking ‘risk ownership’ which is a win in itself and not really a budget approval failure (in my eyes.)
This is not a clickbait article or a way for me to just show off, I want to share the complete steps that get me there every time. My own ‘methodology’.
Usually, 3 things happen at this phase:
This data-gathering phase can go more in-depth and I shared my 5-step framework for CISOs starting in a new company here already:
A common way to create tension between IT/cyber and the board is when they get surprised with solution costs because labour wasn’t included when the proposal was made and approved.
So, I make sure when I create proposed solutions and budgets I’ve included labour. to avoid the scenario where it’s more labour intensive to implement and support a solution than the initial licensing cost?
If you need more help to do this, you can see my article below (Using Boardish – or you can make a spreadsheet and work it out yourself.)
How well do the solutions mitigate the risk that you’re being hired to solve? In MANY cases several solutions attack the same threat, and the same threat from different vectors. Make sure you have the full picture.
Involve the IT & Cyber teams who will have real-life stats, info from the solutions that they’ve used before, and POC on any new products.
I use the TPF approach in the Boardish methodology, and before Boardish I did it manually myself to assess how effective the solutions are against the threats.
Here is an example of a TPF in the Boardish App (Note: it has full manual control so you can set and reset based on new information and knowledge.)
Regulations are the Best Friend of the CISO and the Cyber Consultant, they “Get you the attention you need from the Board, no ignoring a 4% of the turnover fine”
Ok … we have the data gathering section complete, we are good “internally” but are we ready to “attack the board room”?
Not yet … now, you need to get all your team onboard.
Make sure your staff, your team, your partners and your managers are fully aware of the “REASON” for this project, before you go into budgets, make sure the REASON is clear to “why we are doing this”.
This helps to reduce resistance to change which can slow or derail your project, and gets everyone excited about the changes because they see how it helps them.
This ties into an article I wrote on my experience of managing up and down the chain of command:
Step 8 – Forget all your “Techy Risks Terms” – Turn the data into business language.
It’s not just quantifying the risk into financials, it’s also terminology and how you frame your budget and proposal.
When approaching the board, focus on:
Be ready to run the simulation with different solutions, different efficiency levels, different threat metrics, different costs. Give the info they need LIVE!
This is a Boardish Dashboard that I use to show Boards when pitching budgets.
Usually in my experience, if your solutions are mitigating MOST of the risk and the cost of the entire solution is less than 2% of the turnover – YOU WILL GET YOU BUDGET approved.
Here is a 5-minute demo of how I use the Boardish App and Methodology to implement exactly what I talked about above:
Going back to my headline – I very rarely fail with this approach.
In almost all cases, I see that when you communicate your needs in a business language you will get your Budgets.
Do you think I am exaggerating? that I am a bald stuttering overconfident Methodology creator … well, maybe I am but that’s aside … My method works! Try it yourself and see.
Sign up here: https://app.boardish.io/
Eli Migdal – Co – Founder – Boardish
Explain why/how your solutions work, to a non-techy audience.