“It Should not be that hard”, the threats are increasing every year andmore and more businesses are relaying purely on their IT.
So why the “sell process” is so hard and long…?
I think the issue is “language”, Cyber Security and Cloud have created anew language, a new type of communication that is much more rapid and flexible,this new language gets lost in translation between the Tech people and theDecision makers.
So, usually who are the typical player in this game?
Before Cyber Security and Cloud wereso dominant, the process was simple:
Before the era that a “simple Ransomware” attack could cripple yourentire business and Cyber Threats were the concerns of “Big organizations only”
Before Cloud Computing could provideyou with the best Disaster Recovery capabilities, faster deployment for halfthe price
In the “Good Old days” – it was easy:
1. The IT Manager will review thelast year’s IT budget
a. Will ask the Sys Admins andother key players regarding their estimate for the next year’s budget
b. Will do the math with a 10-20% buffer for the next year
2. The IT Manager will request abudget from the Board
3. The Board will push back a bit– will ask to decrease the overall expenses and generally seeking for the bestROI
4. A decision will be madesomewhere in the middle
5. Everyone is happy (well...almost 😊)
If you have got it wrong, nothing harsh would usually happen, you willadjust the budget a year later, in one case your budget will decrease, inanother case you will manage to increase it.
What is happening now:
The changes in the Threat landscape are very dynamic and increasingevery year.
You don’t much room for mistakes – its “no country for old men”
1. Once you miss-calculated whichcyber security tools you need and got hit – you lost your market!
2. Once you did not use the bestCloud offering and spent x3 more on legacy infrastructure, your operation costis much higher than your competitors, you lost your market!
So how does it look now, “Usually”:
1. The IT Manager tries tounderstand which budget he should ask in order to be secure and efficient
a. He will ask the Sys Admins“what do they need most”
b. He will ask the Cloud Admins“what do they need most”
c. He will ask the Cyber Securityadmins “What do they need most”
2. The IT Manager will try tobalance the requests, but the task will be very tiring because each one of themwill usually ask for 110% of the budget to cover their responsibilities
3. The DPO will usually make itmore complicated and ask for more privacy and security tools
a. In some companies the DPO isreporting directly to the board and his impact on the budget maybe extreme (Forexample a tool / solution that doesn’t provide compliance to a regulation –will not be allowed)
b. Some Organizations will alsohave a Risk Management team or/and legal compliance team
4. If the company has a CISO: theIT Manager will usually bring a “much higher than assumed” budget and the CISOwill try to reduce the overall budget
5. The CISO will try to justify thebudget to the Board – it might be 50%from the original request
6. If the company does not have aCISO – the IT Manager will usually ask the budget directly from the Board
7. The Board will usually cut thebudget even more – The Board will always want less expenses and a better ROI
Remember –Usually board member are not IT “people” – they usually come from
Management ,Finance, Legal and such.
This is how it’s usually looks when an IT Budget is requested:
We have a huge GAP between the Decision Makers and theTechnological Solution Providers when it comes to Cyber and Cloud, letsanalyze why:
They don’t speak the same language
The “Tech Layer”:
1. The IT Sys Admins and the ITManager usually speak the same language
2. The Cyber Security & CloudAdmins speak a similar yet not the same language, but they usually understand eachother
3. The IT Manager is strugglingbut usually he is able to understand the complete “new language” which is a mixof classic IT & Cyber & Cloud
a. The IT Manager is spendinghuge amount of his time understanding the new language
“The Non Tech Layer”:
4. The DPO speaks his ownlanguage – usually his language is much more “Legal” than “Techy”
5. The Legal and Compliance teamsdon’t speak “Techy” – they usually don’t understand what the IT Manager is talking about
6. The CISO is in a very trickysituation in which he needs to mix all the “Old Techy” & “New Techy” & translate it to theBoard
7. The Board usually does notunderstand “New Techy”, in most cases the Board does not understand “Old Techy”as well, Board doesn’t speak “Tech”
8. The Boardunderstands Risks, Risk Mitigation, Costs, ROI, Business Needs
9. The CISO will usually spendmost of his time explaining the Risks& Solutions in a way the board can understand. His focus is not onimproving the Information Security Methodology
So that’s the process.
What are the results “usually” ?
1. The IT Manager will notreceive what he really needs – his budget might be about 50% from what hereally needs and he spends huge amount of his time on “begging” and notactually being efficient
2. The CISO has not received whathe needs – he is not improving the system, he mediates between the IT Managerand the Board
3. The Board will not get whatthey really need – the company is not secured or efficient, and they will beblamed for it
So what do we do:
We need to process the new information in a way the board understands
We need an algorithm that translates IT Risks and Cyber & CloudSolutions to a language of Risks and Costs that the Board understands
A Combination of an Application based on this algorithm and professionalexperience is the ultimate way to achieve these needs.
This is what we do
CEO of TowerWatch Solutions LTD
Founder of “Boardish”