Why Your Risk Score Is Stopping You from Getting Your IT and Cyber Budgets Approved
With the end of the year approaching fast, the pressure to get your IT and cyber budget approved is increasing. While other functions within the company use tangible numbers to get their budgets approved faster, IT and cyber doesn’t have such an easy job.
Cyber ROI is more about risk mitigation than it is about effectiveness. To get the IT and cyber budget approved, most companies use risk scores, but that doesn’t help non-technical decision-makers, and it’s simply not convincing enough.
Take away the technical
From IT and Cyber’s perspective, the risk score works nicely. You can identify your assets, threats, and vulnerabilities and analyse them. You can then categorise risk ranges from the very low to very high. But this approach doesn’t extend outside of the risk assessment process (and sometimes not even then.)
The main problem comes when you need to communicate those threats and proposed means of their mitigation to the board.
You’ve made your job harder.
Because you’re communicating using a metric they don’t understand, and it raises questions such as:
– How high is high/low is low?
– What does this mean in terms of the business?
– What does this mean in terms of sales loss, market loss, or working loss?
– How have you determined that the risk is high, medium, low?
– Is this score based on market results or our specific company?
This simply extends the process and slows down getting approval (if you get approval at all.)
Why risk scores aren’t working
By relying purely on risk scores instead on quantifying risks and using financial figures (hint: what Boardish does), you are:
- Making communication more difficult between the board and CISO
- Making an assumption that the board understands the proposed solutions entirely and that they understand the threats, as well as the risk score metric you’re using.
- Adding more work to your’s and the board’s plate by trying to explain everything to them and trying to communicate the gap between risk score and what this means for the business
Risk scores aren’t really helpful on their own, as it only shows ranges from very low to very high and not actual impact.
What you should do to get IT and cyber budgets approved
If you want to get IT and cyber budget approved (quickly), you need to communicate using the language the board understands – show them the value of solutions and ROI.
Boardish does exactly that.
Boardish is a risk quantification tool specifically designed to improve the IT & Cyber budgeting and sales processes to get approval a lot quicker. It communicates cyber ROI by showing the cost of threats (and more) to decision-makers to streamline the IT & Cyber budgeting and sales process.
With Boardish, you can make visuals focusing on the area that interests the board the most, giving your report more impact. This is just one of the reasons why CISOs that have used Boardish for budget quantification have received a favourable decision around 80% faster.
Eli Migdal
