The 8 Steps I Use To Get (Nearly) All of My IT & Cyber Budgets Approved
*This article was originally published by co-founder Eli Migdal on Linked here.
As a Cyber Security consultant, who is also the founder of two IT companies (TowerWatch Tech and Migdal Computing) I usually “get called” when there is a big issue, usually around my area of expertise which Data Classification, Encryption, and DLP. (Disclosure: I’m also the co-founder of Boardish)
So I’ve proposed a lot of IT & Cyber budgets. And the truth is, I pretty much get them all approved.
I rarely fail, and on the rare occasions a budget doesn’t get passed, it’s a matter of the board taking ‘risk ownership’ which is a win in itself and not really a budget approval failure (in my eyes.)
This is not a clickbait article or a way for me to just show off, I want to share the complete steps that get me there every time. My own ‘methodology’.
Step 1 – Gather Initial Information – “Interview the company while they are interviewing you”
- What is the Reason / Business Logic / Catalyst for this Cyber Security Project? – Is it regulations? Is it general Intellectual Property protection? Was the company hacked? What is the “drive” to do “something” with Cyber Security?
- How does the company make its revenue? – What are they selling? What is its unique proposition? What is their core business? To quote Steve Zelwki from Levi Strauss & Co “We sell Jeans! – how are you going to help me to Jeans?” – Figure it out before you go any further
- Who is the owner of this initiative/project? – Is it IT? Is it Cyber? Is it GRC? Is it you?
- Does this project have a “Champion” who is Board Level / C-Suite? – To put it more clearly “is this is a Board Level project” that will be pushed from the top down?
Usually, 3 things happen at this phase:
- Option 1: You get all the info – Great! – best option.
- Option 2: You get some partial info and they start consulting with you regarding “what do you propose” Great – this is also a good option because it means they want to align themselves and to take it to the next level.
- Option 3: They start pushing back on the “questions” themselves, this is a GREAT SIGN for you to say ” Thank you, it was a great call/meeting – but I suggest we end it now. Let’s stay in touch and when you are ready to align to this project methodology and the way I work.”
Step 2 – Gather Specific Company Details – “Hi, I am Eli – now let’s talk about you, I want to hear all the details… “
- What is the Turnover of the company?
- How many employees are there in total?
- How many employees are high/medium/low impacted by technology?
- What are the average salaries for high/medium/low impact users? (for this you usually don’t need to ask anyone in the company, as you can just google the industry standards use services like glassdoor to assess the averages)
- What is the speed of recovery of the company? How many years will it take the company to get back the previous market position following a technological catastrophe? This is a GREAT question to engage all C-Suite and departments with … “how quickly can your company to jump back after the mother of all data breaches”
This data-gathering phase can go more in-depth and I shared my 5-step framework for CISOs starting in a new company here already:
- The 5-Step Framework For CISOs Starting In a New Company (If You Want To Stay Longer Than 6-12 Months)
Step 3 – Take The Company’s Risk Assessment Report and Translate it to Financial Figures – The board don’t make decisions with traffic light charts, they make decisions based on money.
- NIST, ISF, ISO – No matter what framework you use for risk assessment, you need to translate to “Business Language” aka money money money.
- Quantify each threat via the Boardish Methodology: how many workdays Loss, how many Turnover Days Loss, what is the Market Position risk, etc.
Step 4 – Make Sure The Proposed Solutions Include Full Costs (no surprises later)
A common way to create tension between IT/cyber and the board is when they get surprised with solution costs because labour wasn’t included when the proposal was made and approved.
So, I make sure when I create proposed solutions and budgets I’ve included labour. to avoid the scenario where it’s more labour intensive to implement and support a solution than the initial licensing cost?
If you need more help to do this, you can see my article below (Using Boardish – or you can make a spreadsheet and work it out yourself.)
Step 5 – Evaluate What is The Efficiency level of the Current & Proposed Solution Against the Threat – “Are they any good?”
How well do the solutions mitigate the risk that you’re being hired to solve? In MANY cases several solutions attack the same threat, and the same threat from different vectors. Make sure you have the full picture.
Involve the IT & Cyber teams who will have real-life stats, info from the solutions that they’ve used before, and POC on any new products.
I use the TPF approach in the Boardish methodology, and before Boardish I did it manually myself to assess how effective the solutions are against the threats.
Here is an example of a TPF in the Boardish App (Note: it has full manual control so you can set and reset based on new information and knowledge.)
Step 6 – Regulations! – Don’t forget your BEST FRIEND.
Regulations are the Best Friend of the CISO and the Cyber Consultant, they “Get you the attention you need from the Board, no ignoring a 4% of the turnover fine”
- Almost EVERY company I encountered has GDPR implications. GDPR is a “Board Level Responsibility” so it’s a great “conversation starter with the Board”
- If you or your suppliers are somehow connected with Medical information, HIPPA is your best friend, USE IT!
Ok … we have the data gathering section complete, we are good “internally” but are we ready to “attack the board room”?
Not yet … now, you need to get all your team onboard.
Step 7 – GET ALL YOUR TEAM ONBOARD
Make sure your staff, your team, your partners and your managers are fully aware of the “REASON” for this project, before you go into budgets, make sure the REASON is clear to “why we are doing this”.
This helps to reduce resistance to change which can slow or derail your project, and gets everyone excited about the changes because they see how it helps them.
This ties into an article I wrote on my experience of managing up and down the chain of command:
Step 8 – Forget all your “Techy Risks Terms” – Turn the data into business language.
It’s not just quantifying the risk into financials, it’s also terminology and how you frame your budget and proposal.
When approaching the board, focus on:
- what is the COST of the Threat?
- What is the COST breakdown? (Sales Loss, Salary Loss, Market Loss, Regulation Loss)
- What is the complete solution cost overall?
- How much financial exposure do they have left after implementing the solutions?
Be ready to run the simulation with different solutions, different efficiency levels, different threat metrics, different costs. Give the info they need LIVE!
This is a Boardish Dashboard that I use to show Boards when pitching budgets.
Usually in my experience, if your solutions are mitigating MOST of the risk and the cost of the entire solution is less than 2% of the turnover – YOU WILL GET YOU BUDGET approved.
Here is a 5-minute demo of how I use the Boardish App and Methodology to implement exactly what I talked about above:
Going back to my headline – I very rarely fail with this approach.
In almost all cases, I see that when you communicate your needs in a business language you will get your Budgets.
Do you think I am exaggerating? that I am a bald stuttering overconfident Methodology creator … well, maybe I am but that’s aside … My method works! Try it yourself and see.
Sign up here: https://app.boardish.io/
Eli Migdal – Co – Founder – Boardish