I remember about 12 years ago (when I still had a beautiful set of hair on my head) I was called as a starting Sysadmin to attend my first yearly IT Budget meetings.

I was so excited to see the huge excel sheet all the different components. I remember that one of the big elements was upgrading our Checkpoint Firewall to the newer version and integrating it with our Radius VPN server.

We discussed together with the IT Manager the licensing cost that was provided by the vendor and how many IT resources will it require from us, how much “out of hours” work etc. was required from us, and more

I was called to attend a meeting with the CEO while the IT Manager was showing the Budget to provide some technical information. Mostly on the level of downtime that will be required and such.

 

The CEO would usually compare the budget with the previous year’s budget, ask the IT Manager some general financial questions and if the company was doing ok, there were no surprises, the budget would get approved, once a year, like clockwork.

 

I was so eager to learn this process, the quote to approval, and then the implementation of the solution.

This exact process carried on year after year.

I already had several employees on my team, my own IT Services company was growing but the budget meetings were my “must attend” event, I was so eager to see it, I was fascinated by the process.

Year after year the vendors would show us their new features and year after year we decided “what we want” and what we want to add to the budget. It was so easy and actually so much fun, new features each year, not too big, not too small, easily approved.

 

And then I remember that one year, a big disruptor entered our predictable world, it didn’t come from the world of Cyber, it came from the world of Disaster Recovery…. Virtualization!

We were working on our DR Plan that was usually built from daily backups to LTO tapes and quarterly recovery simulation that usually took about 24 hours, all was working, very predictable and very slow 🙂

During the process I was made aware ( by a vendor ) that if we make our system Virtual (it was a brand new word to me back then), we can make the entire recovery process about 6X quicker, we could even recover the entire server …in…. (building suspense) … another Machine !!!

All of a sudden we could recover from a disaster in a matter of hours and not days, we felt obliged to investigate and did a POC which proven to be very successful. After seeing a server recovery on VMWARE, none of us on the IT team felt they can look a physical machine “in the eyes” and not feel that we are doing the company injustice.

And then it was IT Budget time, that time of year but this time we all knew we need to add Virtualisation in the excel, new servers, new licenses, a lot of work hours.

I remember how hard it was for the IT Manager to add a whole new tab to that excel and I remember he feared showing the new IT budget to the CEO.

This time the budget was not a “small version change ” from the previous one but had a big change in it.

 

For the first time in forever we needed to explain to the CEO the real FUTURE value of what we are doing, we needed to explain that “Yes the current system was working ok for 10 years” but the risk level is increasing and there are new solutions that allow recovering much quicker.

The first meeting was hard, the CEO was no so eager to understand why we are trying to change “something that worked for 10 years”, why we are changing our “way of working” for something that “may happen”.

I remember the IT Manager and CEO were going back and forth and then somehow, the question was pointed at me … “what do you think Eli… what is the point of that of this investment? – and I had the balls ( don’t know how until now ) to ask the CEO a question a big question back, Mr. ‘O’ – How much is a working day of the company worth to you?

The CEO didn’t hesitate in his response and instantly shot back “How is this even relevant, we are talking about your server room, not the entire company”.

 

Then I explained very calmly how almost every system in the company is connected with that “server room” and if the system goes down, the company is not working and then again asked ” how much is a working day is worth to you” if a day worth is higher than our budget increase, I see there is no point, but if a working day is much more expensive, the VALUE is clear.

That was the first time that I can remember with this company that an IT budget was connected with Value and the clear earnings and risk of losing earnings of the company.

Later on, I made sure to document each time that “our” Virtualization solution has worked to achieve quick recovery and made sure to include “how much time we saved”.

I made sure to add this metric alongside with the excel, the budget excel “alone” was not enough anymore!

Many years after ( 2016 ) – I published this article on how DR ( Disaster Recovery ) is an integral part of the defense against Ransomware

* This article is from 2016 so don’t judge if it seems a bit outdated 🙂 – https://www.linkedin.com/pulse/making-sure-you-protected-from-ransomware-attacks-part-eli-migdal/ 

The same logic of “how much your workday is worth” stayed the same but the attack vectors kept on evolving, the risk elements kept on growing.

Only now, in the last 2 years + / – DR plans are mentioning Ransomware attacks in SME’s ( previously it was mostly in enterprises)

 

And after this long intro … we are in 2020 and still, I hear too many “who moved my cheese?” – Cyber Professionals are not willing to accept the fact that “the cheese will always keep on moving” – you don’t control the Cheese, its movement its mostly controlled by forces which are not in your control.

IT Professionals, Cyber Professionals …. why some of you are still surprised that the same excel budget that worked great for 10 years doesn’t work now?

The cheese has moved, the decision-makers do not accept your excel “as a fact of life” if you do not show clear value or if you do not show a clear ROI for your budget.

 

Love it, Hate it, Ignore it…. whatever you will do, the “easy and quick” IT Budget approval process which some of us knew in our past is long gone, IT (and now Cyber) is entwined

The problem here is not Microsoft Excel, I love Excel myself and use it for many things…. but not for ROI budget proposal.

* Yeah I know that some Excel Guru’s can do EVERYTHING with excel but I don’t see the point when there are ways to do it much easier, what is the point to use a map and listen to traffic updates on the radio when you can use Waze :), yes the map and Radio traffic updates may work but there are much more efficient ways.

“Ok, I am starting to understand that the cheese has moved, the old way is not working, what should I do”

I created Boardish in 2019 to bridge the gap between IT & Cyber and the decision-makers. The main purpose of Boardish is to help you, IT & Cyber Professionals show your IT & Cyber Budget in financial terms, Quantifying both threats and solutions in financial figures.

Helping you answer those hard questions from the CEO before they were even asked, show IT & Cyber to the CEO in their language, ROI, Financial figures.

“But… it’s something new – I already know my excels…. “:

Yes, learning a new approach is never easy, when I created Boardish I knew I would need to spend a lot of resources in training, so our entire training materials are available online:

Tutorials

We are also making a lot of articles to guide you through:

The Beginner’s Guide To Cyber Risk Quantification For CISOs & Cyber Pros In Any Size Business​

“But how does it actually work, what do I explain to my CEO?”

Our methodology which unique and “severity based” and does not let you fall into the “Probability trap” ( TLDR – when you need to assume probability in Cyber you are already f***** before you even started )

Why ‘Probability’​ is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

We also made our methodology publically available and we will keep updating it, the cheese will keep on moving and so our methodology evolving:

The Boardish Methodology: Budget Approval Framework

To Summarize: Yes our Cyber realm is ever-changing and constantly evolving, we can complain about it we can embrace new approaches to solve it, we have managed to solve the IT & Cyber > Board communication issue on budget.

Eli Migdal – The Boardish Team: