How to Actually Talk to Your Board About cyber security (When You Have No Budget)

You need to talk to your board about cyber security. But every time you try, one of three things happens:

1. They glaze over when you mention "multi-factor authentication"
2. They panic and think you're saying the library\'s been hacked
3. They ask "Why didn't this come up last year?" and shut down the conversation

Here\'s the problem: You\'re speaking IT, and they\'re hearing budget threat. That\'s not your fault. It\'s a communication gap. And it\'s fixable.

Let me give you the script that actually works. The one that gets cyber security funding approved without causing board panic or political fallout. Use these slides, these words, and these responses. You have permission to copy, modify, and present all of it.

The Three-Slide Presentation That Gets Budget Approval

Your board doesn\'t have time for 30 slides. They have 15 minutes, maybe 20. Here\'s what you show them:

Slide 1: "This Is Happening to Libraries Like Ours"

Title: Library Ransomware: The New Reality

Content:

• Seattle Public Library (May 2024): Systems down for weeks. Recovery cost: $1,000,000
• Toronto Public Library (October 2023): Couldn't check out books for 4 months. 1 million returns stored in tractor trailers.
• British Library (October 2023): Catalog offline for 78 days. Recovery cost: £7,000,000 (40% of their reserves)
• Baker & Taylor (August 2022): 17-day outage. 5,000+ libraries couldn't order books.

The line that matters:

"These aren\'t theoretical risks. These are peer institutions that got hit in the last 24 months. And they all thought "it won\'t happen to us" until it did."

Visual: Show logos/photos of British Library, Toronto Public Library, Seattle Public Library. Make it real.

Why this works: Boards respond to peer comparisons. "This happened to libraries like ours" is more compelling than "cyber security experts say..."

Slide 2: "Here's What It Would Cost Us"

Title: The Math: Prevention vs. Recovery

Content (create a simple table):

The line that matters:

"Seattle Public Library spent $1 million recovering from ransomware. For a fraction of that cost, we can reduce our risk by 90% and speed recovery if something does happen."

Add this detail:

• One thing stopped the Library of Congress attack: Multi-factor authentication. The Library of Congress was targeted by the same Rhysida gang on October 28, 2023 - the same day as British Library and Toronto. LOC\'s MFA blocked the attack. It\'s often free with our existing systems. Had they not had it, they'd be on this list.

Source: British Library Cyber Incident Review, March 2024.

Why this works: Boards understand ROI. "Spend $25K to avoid spending $1M" is a simple business case.

Slide 3: "Our Recommended Three-Tier Approach"

Title: Phased Investment: Year 1, Year 2, Year 3

Year 1: Foundation (Budget Request: $20K-$30K)

• ✅ Cyber insurance: $15K-$25K
• ✅ Security audit (one-time): $10K-$15K
• ✅ Plus free actions: MFA everywhere, backup testing, staff training (using free resources)

What this gets us:

• ✅ Insurance coverage for breach costs
• ✅ Professional assessment of our vulnerabilities
• ✅ Quick wins that close major security gaps

Year 2: Remediation (Budget Based on Audit: Est. $30K-$50K)

• Fix critical issues identified in Year 1 audit
• Upgrade backup systems (air-gapped backups)
• Enhanced staff training program

Year 3: Ongoing Maintenance (Budget: $20K-$30K/year)

• Annual security reviews
• Insurance renewal
• Continued staff training
• Vendor security oversight

The line that matters:

"We\'re not asking for $100K upfront. We\'re asking for $20K-$30K in Year 1 to establish a foundation, then adjusting based on what the audit tells us."

Why this works: Phased budgets feel manageable. You\'re not dropping a huge unfunded mandate. You\'re building incrementally.

The Exact Language That Works (Copy-Paste This)

Here's what you actually say when presenting:

Opening (30 seconds):

"I want to talk about cyber security. Not because we\'ve been attacked. We haven\'t. But because in the last two years, three major libraries were hit with ransomware attacks that cost them millions of dollars and months of downtime. I want to make sure we're not next."

Why this works: You\'re establishing urgency without panic. "We haven\'t been attacked" prevents immediate board freakout. "I want to make sure we're not next" establishes proactive leadership.

The Ask (60 seconds):

"Based on what happened to Seattle, Toronto, and the British Library, I'm recommending a three-tier approach starting with a $25K investment in Year 1 for cyber insurance and a security audit. This is like buying fire insurance. We hope we never need it, but if we do, it covers most of the cost."

"For context: Seattle spent $1 million recovering from a ransomware attack. Our Year 1 ask is 2.5% of that cost. It\'s not a question of if ransomware attacks continue. They\'re accelerating. It\'s a question of whether we\'re prepared when it happens."

Why this works: You're framing it as insurance (concept boards understand) and showing clear ROI (2.5% of recovery cost).

Handling Objections:

Board Member: "Why didn't this come up last year?"

Your Response:

"Great question. Ransomware attacks on libraries increased dramatically in 2023-2024. British Library and Toronto were both attacked in October 2023. Seattle was hit in May 2024. This went from "low probability threat" to "peer libraries are being hit regularly." We're responding to a rapidly changing threat landscape."

Board Member: "Can't IT just handle this?"

Your Response:

"Our IT staff are excellent at keeping systems running, but cyber security requires specialized expertise. British Library had professional IT staff. They still needed outside forensic investigators and consultants. The $1M Seattle spent was mostly on specialized consultants. We need those experts before we have an incident, not after."

Board Member: "What if we just don't pay the ransom if we get attacked?"

Your Response:

"British Library, Toronto, and Seattle all refused to pay. Good for them. But their recovery still took 3-4 months and cost $1-7M. Not paying the ransom doesn't make recovery free or fast. Our goal is to prevent attacks and minimize recovery time if one happens."

Board Member: "Is this really a priority compared to [books/programs/staff]?"

Your Response:

"It\'s not either/or. It\'s about protecting everything else we do. If we get hit like Toronto did, we can't check out books, run programs, or provide services for months. Our Year 1 ask is about 1-2% of our annual budget to protect 100% of our operations."

The Budget Breakdown by Library Size

Boards want to know "What do libraries like us spend?" Here's real-world guidance:

Small Library (1-3 branches, <$1M budget):

Year 1 Investment: $5K-$15K

• Cyber insurance: $5K-$10K (lower premiums due to size)
• Security audit: $5K-$10K (use state consortium or community college IT program for discount)
• Free actions: MFA, backup testing, staff training

Realistic alternatives if you have $0:

• Join state library consortium for group cyber insurance rates
• MS-ISAC free membership (federal program for state/local governments)
• Partner with local community college IT security program for free audit (students do it, professor supervises)
• Shared IT security staff with city/county government

Medium Library (5-25 branches, $5M-$15M budget):

Year 1 Investment: $20K-$50K

• Cyber insurance: $15K-$30K
• Security audit: $10K-$20K
• Incident response retainer: $5K-$10K (pay as you go)
• Free actions: MFA, backup testing, staff training

Large Library (25+ branches, $15M+ budget):

Year 1 Investment: $50K-$150K

• Cyber insurance: $30K-$50K
• Comprehensive security audit: $25K-$50K
• Incident response retainer: $15K-$25K
• Managed security services (optional): $25K-$50K
• Free actions: MFA, backup testing, staff training

Key point: Scale to your budget. Don\'t let "we can\'t afford $50K" stop you from doing the $5K version. Some protection is infinitely better than zero protection.

The "But We Have No Money" Strategy

Here\'s what you do when your board says "We\'d love to, but there's no budget":

Strategy 1: Reallocate Existing Funds

Script:

"I understand we\'re budget-constrained. Let me propose this: We\'re currently spending $X on [identify low-priority line item]. If we reallocate $20K from that to cyber security in Year 1, we can establish baseline protection. Then we revisit annually."

Examples of possible reallocations:

• Delay a facility upgrade by one year
• Reduce professional development travel budget (use virtual conferences)
• Defer a non-critical technology refresh
• Reduce marketing/communications budget slightly

Strategy 2: Emergency Reserve Funding

Script:

"Our emergency reserves are designed for unexpected crises. A ransomware attack is exactly that kind of crisis. Seattle spent $1M from reserves recovering. Can we allocate $20K proactively from reserves to prevent needing to spend 50x that amount reactively?"

Strategy 3: Grant Funding

Script:

"I\'ll apply for IMLS, state library, or regional foundation grants to fund Year 1 security improvements. In the meantime, I\'ll implement all the free actions (MFA, backup testing, staff training) so we're making progress even without new funding."

Real grants to pursue:

• Institute of Museum and Library Services (IMLS) grants
• State library development grants
• Regional library consortia security grants
• Local foundation grants (position it as "protecting community access to library services")

Strategy 4: Multi-Year Gradual Approach

Script:

"If $25K in Year 1 isn\'t feasible, let\'s phase it differently: $10K this year for cyber insurance only. Year 2: Add the security audit. Year 3: Address findings. It\'s not ideal, but it\'s better than zero."

The Follow-Up Memo Template

After your presentation, send this memo to cement your ask:

Why this works: You've documented your recommendation. If the board says no and you get breached later, you have evidence you raised the issue and were denied resources.

The Nuclear Option: When Your Board Won't Act

If your board refuses to fund cyber security despite your best efforts:

Document everything.

Send a formal memo stating:

• You've identified significant cyber security risks
• You've provided cost estimates for mitigation
• You've explained potential consequences (ransomware recovery costs)
• Board declined to allocate funding
• Library assumes all financial and operational risks

Copy this memo to:

• All board members
• City/county legal counsel (if applicable)
• Your liability insurance provider (they need to know you've identified risks)

Why this matters: If you get breached and sued, you need evidence you tried to prevent this and were denied resources. This protects you personally.

Then do everything free:

• Enable MFA everywhere (free)
• Test backups (free)
• Join MS-ISAC (free)
• Train staff using free CISA resources (free)
• Document manual processes (free)

You can\'t eliminate risk with zero budget, but you can reduce it significantly. And you\'ve documented that you tried to do more.

Sample Board Resolution

If your board approves funding, pass a formal resolution:

Why this matters: Formal resolutions show you're taking this seriously. It also creates accountability for ongoing oversight.

What Success Looks Like

If you execute this plan successfully, here\'s what you\'ll have in 12 months:

• ✅ Board buy-in on cyber security as ongoing priority
• ✅ Cyber insurance covering breach response costs
• ✅ Professional security audit identifying specific vulnerabilities
• ✅ MFA enabled across all systems
• ✅ Tested backups confirmed working
• ✅ Trained staff able to recognize phishing and security threats
• ✅ Incident response plan ready to execute if needed
• ✅ Budget commitment for Year 2 remediation and Year 3 ongoing maintenance

And most importantly: You\'ll sleep better knowing you're prepared.

Further Resources:

• MS-ISAC (Free cyber security Services for Libraries)
• CISA cyber security Resources
• ALA Library cyber security Toolkit
• Seattle Public Library Post-Incident Report

Next Steps: Execute This Week

Don't wait for the next budget cycle. Do this now:

1. Tomorrow: Copy the three slides above. Fill in your library's numbers. Adjust the language to match your voice.
2. Next 3 days: Request a 15-minute slot on the next board agenda. Say "I need to brief you on a risk I've identified."
3. One week: Present. Use the exact language from this article. Answer objections using the scripts provided.
4. After presentation: Send the follow-up memo. Document everything.
5. If approved: Execute the three-year plan starting immediately.
6. If denied: Document the denial. Implement everything free. Protect yourself.

You know your board. You know what will move them. Use this playbook to speak their language. The funding is available if you ask in a way they can understand.

You have permission to use every template, script, and resolution in this article as-is. Modify them. Use them in your board packet. Share them with peer directors. This isn\'t proprietary. It\'s library advocacy.

Need help preparing your board presentation? Get in touch. Or just execute the plan above. You've got this.