Cybersecurity and board-level buy-in: how to speak the language of a CFO

Every CISO knows that the cyber threat landscape is growing ever-more sophisticated, making the mission of keeping the enterprise secure a task with seemingly no end. By learning to speak the language of the CFO, CISOs can improve their budgetary win rate and ensure that they get the investment they need to deliver on their accountabilities.

IDGConnect_security_c-suite_shutterstock_1886772589_1200x800
Shutterstock

This is a contributed article by Andrew Rose, Resident CISO, EMEA at Proofpoint.


Every CISO knows that the cyber threat landscape is growing ever-more sophisticated, making the mission of keeping the enterprise secure a task with seemingly no end. Our recent survey found that more than half of CISOs and CSOs in the UK&I reported that their organisation suffered at least one significant cyberattack in 2020, with almost two thirds expressing concern that their organisation is at risk of an attack in 2021.

However, the unfortunate reality is that many CISOs struggle to get the resources they require to defend their organisation. This same survey found that half of respondents do not feel their board pays enough attention to delivering effective cybersecurity.

By learning to speak the language of the CFO, CISOs can improve their budgetary win rate and ensure that they get the investment they need to deliver on their accountabilities.

Understanding the CFO 

CFOs are naturally, primarily concerned with the financial performance of the organisation, protecting its assets and building the company’s ability to create value and increase revenue. 

Security and compliance are not something that the CFO spends much time considering; however, they recognise that the cost of a security incident can be devastating. Take Business Email Compromise (BEC) attacks, for example, the FBI recently estimated the losses from such attacks at $26.5 billion over the past three years. 

Despite the proven financial risk, organisations don't have unlimited budgets, and CFOs have to be extremely thoughtful about how money gets spent to address business challenges and risks, including security and compliance.

The CFO’s internal dialogue

CFOs have a relatively formal thought process every time a new investment request is brought to their attention by a CISO. These are your key touchstones:

  • The size of this risk in comparison to revenue.
  • The cost of this solution in comparison to the impact of a breach over a three-to-five-year period. 
  • What capabilities do we already have, and how effective are they? How effective will this solution be in comparison? 
  • Why do we need this solution, rather than an alternative?
  • Can we consolidate suppliers for simplicity and greater financial leverage?

The CISO needs to respond to this internal dialogue and ensure that these factors are addressed in their business case.

Making the business case

Before you go to the CFO to discuss new investment, it’s wise to align your cybersecurity objectives and budget proposal with the wider business and compliance objectives:

1: Highlight the control gap

The first step in making the business case for investment in cybersecurity is to ensure that you clearly and succinctly define the problem.  

Describe the control gap in non-technical terms. For example, highlight how gateway systems are allowing malicious emails to pass through; or how your firm lacks the ability to track critical data moving between third-party cloud systems. 

Consider using peer comparison to demonstrate that comparable companies have addressed this matter. This ensures that the CFO has visibility of what would be defensible should an event occur.

2: Quantify associated risk and impact levels 

Work through the control gap and highlight how this could result in a security incident, using your company’s risk models.

Outline the potential losses that could result from a breach - consider using a ‘Value at Risk’ curve to align with other financial models. Include references to loss as both a percentage of annual revenue, the operational impact of a service outage, and as a reputational matter; include any regulatory fines, or additional costs resulting from increased regulatory scrutiny.

Present the potential losses alongside recent examples from the media to highlight the potential reality. 

3: Describe the solution

Adhering to using non-technical language when describing the solution.

Explain why this solution will address the risk when existing controls do not.  Include some alternatives to give the CFO some flexibility for exploration, even if you feel the solution is clear.

Highlight the opportunities, such as the ability to simplify the technology estate or to seek greater leverage for discount, or the opportunity to drive efficiencies through automation.  

4: Highlight the value

Finally, ensure your business case addresses the specific cost issues, and the business enablement rewards.

Firstly, outline the cost of the product, and the estimated costs associated with the deployment and implementation, including training and project costs.

Demonstrate how the solution can save money overall. Outline the solution in comparison to the financial peril and detail the sunk costs against the revised ‘value at risk’ over a three-to-five-year period. Outline potential savings from automation, consolidation or product decommission, and then re-affirm the annualised loss this will avoid.

Finally, tie the solution to existing business enablement initiatives. Consider which projects will benefit from this investment. Will it accelerate cloud deployment or assist with a new customer-facing functionality?

Getting closer to the C-Suite

The ‘C’ in CISO often lacks the gravitas of the ‘C’ in COO, CFO and CRO, but that needs to change if the security industry wants to truly tackle the challenges that endanger an increasingly digital economy.

The CFO is the most influential person at the table following the CEO. CISOs need to build better C-level relationships and demonstrate a true understanding for operating, and not just securing, a business.

Andrew Rose is Resident CISO for the EMEA Region at Proofpoint. His focus is driving Proofpoint’s people-centric security vision, strategy and initiatives amongst the company’s customer base, bringing hands on experience, knowledge and perspective in managing risk and improving cyber security posture across complex enterprises. Rose was previously Chief Security Officer of Mastercard subsidiary Vocalink, who are responsible for much of the UK’s instant and bulk payments covering over 90% of UK salaries, over 70% of UK bill payments and nearly all UK benefit payments.

Related: