Today’s enterprise security leaders face situations that can really hurt a company’s bottom line. Security teams are scrambling to modernize security operations in an increasingly porous network environment with more sophisticated threats. There are also economic pressures from layoffs, budget cuts and restructuring.
Even worse, CFOs have heard CISOs predict the potential financial disaster of data breaches so often that it no longer resonates with them.
The conviction scenario is not hypothetical. global compliance requirements and privacy regulations raise the cost of a breach even higher than just technical costs. However, CFOs and other C-level executives have heard these warnings so often now that it’s just background information that doesn’t drive their decision-making.
Is there a more effective way to help the CFO understand why security needs to be funded much better? Yes. Present the overall risk scenario to the CFO.
Defining protection priorities
Alan Alford, who was a CISO in a variety of industries including technology, communications and business services before becoming a CISO consultant, says CISOs need to take a different approach to describing cybersecurity issues to the CFO. They should start by asking the CFO to identify the six most important strategic elements of the business, possibly including supply chain, manufacturing operations, sensitive plans for future products, and more. Then detail their plans to protect each of those critical areas, Alford says. .
The CISO can present the situation to the CFO as follows: “Thank you for sharing those priorities. Now you’re saying we need to cut the security budget by 37 percent. Considering the state of the economy of our sectors, it is completely. Understandable: To make the cuts possible, can you tell me which of these six areas I need to stop protecting? We also need to get the line-of-business executive involved so you can explain how those changes will affect that area.”
Historically, CISOs, CSOs, CROs and other security-related leaders have been good soldiers, accepting cuts ordered by CFOs and determining where changes need to be made, Alford says. This is antithetical to the job of a CISO. protect the company, including all intellectual property and all assets.
If the CFO decides to cut security funding, they must work with the COO, CEO, board, and other senior executives to determine which operations they can afford not to protect. It shouldn’t be left to the CISO to make those calls or defend the choices.
To be fair, the decision is rarely black and white. But if the CISO posts budget decisions this way, the CFO will see the real business impact of the cuts. When a CFO is forced to decide where the cuts will be and choose which high-priority division will be left unprotected, the conversation changes, Alford says. The CISO might say to the CFO: “We will find out together what risks are tolerable, but make no mistake. A 37% cut would put various departments at extreme risk. Can business afford such a deep cut in our defences?’
A CISO can present cost-effective alternatives to reduce security protections, rather than eliminate them entirely. Now there is an opportunity to negotiate a smaller budget reduction. Maybe that 37 percent reduction will become a 23 percent reduction.
Negotiation as a group
The conversation shouldn’t start and end with the CFO, says Daniel Wallace, an associate partner at McKinsey. It should involve the board’s risk committee, the CEO, the CEO, and other partners who have a role in security spending, such as the CIO and CRO.
“There are also costs from risk management [and] compliance above IT. I would deal with those functions as they have shared [security] responsibility, and they may actually have specific resources,” Wallens says. “I need that no be a one-on-one conversation. I want to make it a group.”
These conversations with other security leaders should happen beforehand and: after the meeting of the CFO, but not during it.
The CISO should meet with other security players before meeting with the CFO to learn what overlaps and redundancies currently exist. The CISO also needs to know how much budget flexibility those other executives are willing to offer. This will be important information when working with the CFO. After meeting with the CFO, the CISO can go back to the other executives and see what they can negotiate as a group.
The actual CISO-CFO meeting should be just the two executives so as not to make the CFO feel bogged down, says Wallance. The discussion should be as amicable as possible to allow for reasonable compromises.
Board risk committee involvement is critical because ultimately it is the board’s role, working with the CEO, to dictate the company’s risk tolerance. If budget cuts requested by the CFO conflict with that risk tolerance, the board needs to know about it.
“The CISO should meet regularly with the risk committee,” Wallans says. “Businesses may not understand the consequences of budget cuts. The CFO is not the only person in question here.”
Adapting to market conditions
Larger trends in the economy also affect CISO budgeting needs.
There is a real existential threat to cyber insurance, the network that CFOs have relied on for more than 20 years. Lloyds of London has announced that it will stop covering losses from attacks by state actors, which is problematic given how difficult it is to prove the origin of the attack and who funded it. Insurance giant Zurich has warned it may drop cyber insurance entirely. And the Ohio Supreme Court decision raised the prospect of other restrictions on cyber insurance. Those changes could dramatically increase the pressure on the CFO to better fund security, given that the enterprise will now face the full extent of the losses.
A complicating factor is the severe shortage of cybersecurity talent. Whether the gap is as big as some say, it’s true that the cost of talent today is higher than most budgets allow. So yes, you’ll struggle to find qualified people, but raise the salary enough and, poof, there’s no more talent shortage.
Richard Haag, Intersec Worldwide Inc. vice president of compliance services at a consulting firm, argued that the difficulty of acquiring enough experienced talent is a powerful argument in CFO discussions.
“[I]Safety, manpower is the only thing that can be cut. You can’t just swap firewalls. These agreements are closed,” says Haag. “You must say that I am barely defending your main strategic areas now. With the reductions you want, I simply won’t be able to protect your top targets and certainly not your not-so-high targets. I need more people, certainly not less people.’
Alford also suggests CISOs specify how they negotiate lower vendor costs. Document it and share it with the CFO to demonstrate that the budget is being spent wisely.
“Show your efficiency by keeping vendor discounts as low as possible. CFOs want to know that money is being spent well, and ‘we’ve got a good deal’ does that well,” says Alford.
Finally, a CISO can also provide better security, generating more revenue. Do higher security investments make future customers more comfortable? Is a lack of security causing some customers to leave? For example, if a financial institution chooses to compensate customers in all fraud situations, rather than what most FIs do, which only compensates in certain situations, it can boast that its customers are better protected against fraud, which motivates customers. is to leave the competitors. The move would justify higher cyber security spending due to greater acceptance of the cost of fraud.
“If you can shorten that sales cycle and prove that security drives more sales, that can be very persuasive to CFOs; “Three customers left today, but none tomorrow,” says Alford.