Why Small and Medium-Sized Organizations Are Struggling More With IT & Cyber Budgeting Than Enterprises

Why Small and Medium-Sized Organizations Are Struggling More With IT & Cyber Budgeting Than Enterprises

There is a very obvious trend that we see in our BOARDISH ecosystem from speaking with our clients and business partners

Small and Medium-size companies are “struggling” much more during the IT & Cyber budget approval process.

For small & medium size organizations, we see the following recurring feedback during IT & Cyber budgets:

  • The length of the budget approval process is between 3-4 times longer on average than in larger organizations.
  • There is not a clear owner for this process. Sometimes it comes from the CTO, CIO, IT Manager, CISO, and in some cases, the process is pushed from the CFO.
  • The “budget process” is deemed as, and I am quoting “extremely complicated”.

In bigger organizations, we still hear feedback about “complexity” and “Length of process” but in reality, the actual process is much more clear and the length of the process is shorter.

We wanted to find a clear causality for this difference. Initially we thought that larger organizations have more moving parts and more roles so the process must be more complex but in reality the process is structured much better in larger organisations with clear role designation.

We have spoken with many clients and also with our business partners and we are confident that we found that causality.


The most impactful differentiator is the use of “Risk Professionals”.

  • Large organizations are understanding that you can’t budget effectively or get approval from decision-makers without incorporating ‘risk and risk quantification’ into the IT and & Cyber budgeting equation. You need to prove the ‘why’ of solutions and what financial impact on the company you are preventing with these costs.
  • Large organizations have much better ACCESS to Risk Professionals and many even have internal roles including CIRO, or ongoing consultants and consultancy retainers. They also have access to enterprise-level resources and tools to help them with risk, and finding solutions.

But …. what makes Risk Professionals so efficient in the Budgeting process?

Risk Professionals are EXPECTED by the management to be the “Translator between IT & Cyber to Decision Making language”, this is the first CRITICAL step in joining IT & Cyber with the Board so they speak the same language.

It is clear that in most organizations IT & Cyber do not talk the same language as the Decision Makers ( Board & C-suite etc.) and without bridging this gap – the budget process is very messy.

When Risk Professionals are involved in the IT & Cyber budget process we see the following advantages:

  • Much clearer responsibilities are laid out in “who should do what” in the Budget process.
  • Budget requests are combined and presented with the Risk factor of the threats you are trying to mitigate.
  • The entire process becomes less “Messy” because usually, Risk Professionals are very efficient in “structuring” the entire process and manage the process much more efficiently. Many of the Risk Professionals also use Risk Management tools which help even more.


Is “Showing Risk” enough to get quick decision making?


It’s about HOW MUCH money that risk is going to cost the company. That’s what the board and C-suite are basing their decisions on. Risk and money.

Which is why Risk Quantification is a mandatory piece of the puzzle for getting quick budget approvals!

With Boardish we have noticed that Risk Professionals are the most efficient adaptors of the Boardish methodology and application needing barely any ‘onboarding resources.’ They just get it, because they are already battling risk quantification and expected by management to clearly help with decision-making.

So what is our advice for Small and Medium organizations?

Use Risk and quantification in your IT & Cyber Budget process

  • Even a basic 4-5 days of Risk consulting will usually get you the required structure you need to set you on the track to do it yourself.
  • Work with Risk Professionals who are already using Risk Management tools that for you a small organization it will likely be too costly to purchase!

Want to get started yourself?

Here is a diagram we’ve created alongside our business partner 360inControl® for a complete step by step process.

You can also sign up to Boardish (completely free HERE) to introduce you to the terminology, and methodology you’ll need for Risk Quantification and quicker budget approvals.

Quicker IT & CYBER Budget Approvals

When technology meets 'bottom line'. There's Boardish.

Get the pragmatic guide to cyber risk quantification