At the core of the disconnect between IT professionals and the board is a difference in language. On the cyber and IT side, discourse centres on security, regulations, and innovation. From the board, there’s more of an emphasis on finance, metrics, and business performance.
Ultimately, both sides are interested in mitigating risk. The IT side is more focused on threats from malware, ransomware, and data breaches, while the board is primarily concerned with risks to the core business, its ability to continue trading, and shareholders.
At face value, having a universal interest in minimising risk should facilitate mutual understanding. However, in practice, both parties can find difficulty in understanding the other’s perspective. For example, if an IT manager asks the board to approve new software designed to reduce the risk of a ransomware attack, the board might not be able to immediately visualise the risk to the company.
While they understand that there is a risk, its relation to other risks faced by the business is not clear – there are various degrees of risk in different situations. It’s on the IT department, therefore, to present their request in a way that’s unambiguous for the board.
The board tends to take a macro view; that is, a broader perspective of the company. It’s main focal points are:
The board must manage a delicate financial balance at all times. Budget requests that make sense to an IT manager might not fit in with the financial planning of the board, unless they are provided with solid context.
Remember that the board is responsible for the financial health of the entire company, so they might not be able to immediately visualise the rationale of a request in the same way as an IT manager with intricate knowledge of why it matters.
The board has a broad perspective of the company. In order to help executives understand whether or not whole-company performance is on track and objectives are being met, it must use standardised metrics.
Unfortunately, metrics don’t always provide nuanced explanation. For example, a company’s IT department is likely to have a higher budget than other departments. Comparing these departments on one single metric might place the IT department as a risk in itself, as it’s not as efficient as other parts of the company. However, this metric doesn’t take into account the high costs of purchasing, maintaining, and updating equipment and software. It’s why context matters, and the responsibility for providing it falls to department managers.
The board is ultimately responsible to the owners of the company. Depending on the size of the organisation, this might be anything from a single investor to thousands of shareholders.
Every decision made by the board is accountable. Any decision that negatively impacts the company will need to be justified. That’s why the board performs thorough analysis of every request, to ensure that financial decisions are sound.
Risk is primarily a financial variable from the board’s perspective. A company cannot operate if it lacks financial viability, which is why numbers are so important to the board. Therefore, budget requests from an IT manager should centre financial risk to the company if action isn’t taken, alongside relevant context that’s specific to the department.
IT departments take a micro approach; that is, a detailed interest in cyber-specific matters, including:
It almost goes without saying that an IT department will prioritise technology. It’s a broad concept, and in the modern workplace, cyber professionals will take a keen interest in preventing data breaches and malware attacks.
It’s by no means a simple task. IT specialists must be one step ahead of potential threats, and taking protective action may be expensive. IT managers don’t make budget requests to the board frivolously; there’s always a reason behind an upgrade. However, this might not be immediately obvious to the board, so it’s imperative to express the risk in terms that are financially focused.
IT departments must comply with all pertinent local and international rules, regulations, and industry standards. Anyone involved in implementing the EU General Data Protection Regulation (GDPR) in 2018 knows that rolling out new procedures can be costly – both in terms of financial investment and human resources.
However, the costs of regulatory non-compliance are even greater. In the case of GDPR, a fine of €10 million or 2% of global turnover – whichever is higher – applies to breaches; this rises to €20 million or 4% of global turnover in severe cases.
Illustrative examples like this can be persuasive when making a request to the board.
Lessons are learned all the time in business. A change of process needn’t be prompted by a catastrophic mistake – best practice can emerge from a variety of sources.
The important thing is to move quickly in response to new information. Taking prompt corrective and preventive action protects the company from financial risk. This is precisely how it should be presented to the board.
Any threat to the technology or network infrastructure is a risk for the IT department. So too is non-compliance with applicable regulations, which can come with heavy penalties. Finance might not be prominent in the minds of IT managers, but awareness when making budget applications is crucial.
In the past, IT has been seen as a bottomless pit for investment. This opinion is a consequence of incomplete understanding of risk at the executive level, and one of the reasons behind the disconnect between IT professionals and the board. In turn, misunderstanding stems from risk not being adequately quantified and explained by IT managers. Both sides would benefit, therefore, from better information. CTOs and CISOs are vital to managing this exchange of ideas.
It can be difficult to quantify cyber risk into tangible figures and statistics, especially if the adverse event hasn’t happened yet. Using the best data available to explain both the cost of the upgrade, and the cost if it isn’t approved makes a request more compelling. For example, a budget of £10,000 for an upgrade might seem steep to the board, but if an IT manager explains that the investment will save £500,000 in the long run, approval is far more likely.
Boardish is a tool that bridges the disconnect between IT professionals and the board. Instead of juggling multiple spreadsheets, the Boardish algorithm quantifies IT risks and solutions from the perspective of financial impact. After entering information about the company, Boardish automatically analyses financial risk and quantifies the mitigating effect of proposed IT solutions. Data is presented in various visual formats, helping the board to make efficient, informed decisions that protect the company from cyber risk.
Explain why/how your solutions work, to a non-techy audience.