Communicate Security Threats to the CFO Through the Language of Risk
Within every organization, business units compete for limited resources needed to make the business a success. Some functions might argue for hiring more people to grow the company’s revenue, while others show how investments in new technology can reduce expenses. CISOs and IT Security teams have a harder challenge: asking for resources to prevent a potential attack or breach from derailing business objectives.
I sat down with a colleague with whom I’ve worked closely — Tina Yeh, AuditBoard’s Senior Vice President of Finance and Operations — to discuss the challenges CISOs face when asking for budget increases, and I asked for her advice to CISOs on ways to work more effectively with their Finance Executives. Whether you’re a budget discussion veteran or getting ready to present to your CFO for the first time, we hope this article will help foster alignment between security and finance in your organization.
Speak the Same Language
The CFO lives in the world of financials — not necessarily in the cybersecurity and risk management world that a CISO inhabits. The CISO is responsible for gathering data and developing proposals for the CFO using the finance terminology they expect. Tina noted, “CISOs should avoid highly technical explanations or reducing the conversations to threats and controls only, without connecting the dots to business objectives and risk.” Instead, she recommends using a common, baseline language founded on business risk with financial impact. She says, “The approach could include sharing reports from the media about security incidents related to the risk you are presenting and showing how the same risk applies internally.” Another option could be to show how security investment would impact the market perception of the company as potential clients complete their due diligence when deciding if they want to partner with the company. Grounding the conversation in common business concerns brings finance executives directly into the conversation without alienating anyone with highly technical topics.
Gain Alignment With the Finance Team
Once common ground is established, the next stage in the conversation usually focuses on gaining alignment on priorities between the CISO and the CFO (and possibly, later the Board). Tina offers some insight into the different ways the two groups think. As she explains, “CISOs are adept at viewing the long-term horizon and preparing for unforeseen future risks to the organization, while the Finance team typically thinks in terms of quarterly performance, annual results, and three-year strategic plans.” To bridge the gap, CISOs can help draw the lines between business objectives and risks from a security perspective. By linking a security initiative to a business objective, Finance executives can see how the request fits directly into the strategic plan.
For example, the SEC recently enacted rules related to cybersecurity breach disclosures. The rules require a strong connection between IT Security (the CISO), financial reporting (the CFO), and corporate communications. Most organizations will support this initiative with technology to ensure timely disclosure. In this case, the budget request for cyber breach monitoring software and possibly additional staff ties directly to a financial reporting requirement under the purview of the CFO.
Make a Compelling Investment Argument
The last step is to justify the amount the CISO requests as an investment, quantifying the risk as an expense the company must avoid. The CISO must build a business case that details the impact of the security scenario.
Some ideas for the business case include:
- Total cost for every hour of lost productivity
- Value of the data lost in a breach
- Assigning a fixed dollar amount for every day, week, and month lost
- Legal and settlement costs in a data breach
- Cost for alternative paths in a business continuity plan
- Loss of a revenue stream if you provide services
- Fines for non-compliance with a legal requirement
- The projected cost to reputation as lost contracts or customers
- The likelihood of the scenario occurring to the business objective being impacted
While these are just examples, “the message is clear,” says Tina, “CISOs need to frame the security concerns in financial terms to convince the CFO to invest in their proposed programs.” By showing a complete potential cost, you facilitate the decision-making process. Tina cautions CISOs to remember, “If the cost of the control you are proposing outweighs the potential loss related to the risk, the CFO will not support the investment.”
Invest in Relationships Before Asking for Funding
The strength of the CISO’s relationship with the CFO and the careful timing of a funding request can make a difference in getting the resources you want. Don’t just appear out of the blue with a big request — before there is a need, the CISO should build a relationship with the CFO to understand their priorities, constraints, and drivers. Understanding their perspective ahead of time will help the CISO build meaningful business cases.
“CISOs should be thoughtful about the timing of requests,” says Tina. The CISO’s regular risk assessments could finish just before budget meetings to correlate the results to the current business objectives. During budget conversations, the CISO can also lay the groundwork for future requests based on emerging risks, company growth, and anticipated exposures. Tina says, “We need to focus on what’s coming around the corner to limit the number of surprises as much as possible. Finally, current events can be used as an ongoing source of education for the CFO. When the press reports on security vulnerabilities, especially those impacting your industry, share the event with the CFO and explain the level of risk to the company with an explanation of the current control environment. In this way, they see the result of their investment in real-time.
A Common Language of Risk
By keeping a financial perspective in mind, CISOs can work more effectively with their CFOs to agree on risk appetite and improve the security posture of their companies by aligning their requests with Finance’s priorities through the common language of risk. All business functions can benefit from a connected approach, aiming to find common ground and ensure open communication and collaborative requests are based on the organization’s best interest and explained in a way everyone understands. After all — we’re all on the same team, doing our part to help achieve the company’s objectives.
Richard Marcus, CISA, CRISC, CISM, TPECS, is VP, Information Security at AuditBoard, where he is focused on product, infrastructure, and corporate IT security, as well as leading the charge on AuditBoard’s own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases. Connect with Richard on LinkedIn.