Today’s enterprise security executives are faced with situations that can really hurt the company’s bottom line. Security teams are trying to modernize security operations in an increasingly porous network environment with more sophisticated threats. There are also economic pressures from layoffs, budget cuts, and restructuring.
Worse, CFOs have heard doom-and-gloom predictions from CISOs of the potential financial catastrophe of data breaches so often that it no longer resonates with them.
The doomer scenario is not hypothetical — global compliance requirements and privacy regulations drive the cost of a breach higher than technical costs alone. However, CFOs and other C-level executives often hear these warnings today that background information alone does not drive their decision-making.
Is there a more effective way to help the CFO understand why security needs to be better funded? Yes: Present the CFO with a shared-risk scenario.
Setting Protection Priorities
Allan Alford, who was a CISO in various industries including technology, communications, and business services before becoming a CISO consultant, says CISOs should use a different approach to describe cybersecurity issues to the CFO . They should start by asking the CFO to identify the six most important strategic elements of the business — potentially including the supply chain, manufacturing operations, sensitive future product plans, etc. — then detail their plans for protecting each of the critical areas, Alford said.
The CISO can present the situation to the CFO in the following way: “Thank you for sharing those priorities. Now, you are saying that we need to reduce the security budget by 37%. Given the state of the economy in our sectors, that is completely understandable. To make the cuts possible, can you tell me which of these six areas I should stop protecting? We’ll also need to bring in the line-of-business executive so you can explain how that will affect these changes in that area.”
Historically, CISOs, CSOs, CROs, and other security-adjacent executives have been good soldiers, accepting the cuts ordered by the CFO and deciding where changes need to be made, Alford said. This conflicts with the CISO’s job: protect the company — including all intellectual property and all assets.
If the CFO decides to cut security funding, they need to work with the COO, CEO, board, and other senior executives to decide which operations they can afford not to protect. It shouldn’t be left up to the CISO to make those calls or defend the choices.
In fairness, the decision is rarely black-and-white. But if the CISO positions budget decisions this way, the CFO can see the actual business impact of the reductions. When the CFO is forced to decide where the cuts will happen and to choose which top-priority division is not protected, the conversation changes, says Alford. The CISO might say to the CFO, “Together we’ll figure out what risks are tolerable, but make no mistake: A 37% cut will put various units at extreme risk. Can the business afford such a deep cut in our defenses?”
The CISO can present cost-effective alternatives to reduce security defenses, rather than eliminate them entirely. Now there is a possibility to negotiate smaller budget cuts. Maybe that 37% cut becomes a 23% cut.
Negotiating as a Group
The conversation shouldn’t start and end with the CFO, says Daniel Wallance, an associate partner at McKinsey. It should involve the risk committee of the board, the CEO, the COO, and other colleagues who have a role in security spending, such as the CIO and the CRO.
“There is also an expense that comes from risk management [and] compliance above IT. I will adapt those functions, as they shared [security] responsibility and they might actually have the resources,” Wallance said. “I need it no be a one-on-one conversation. I want to make it a group.”
These conversations with other security executives should happen first and after the CFO meeting, but not during.
The CISO needs to meet with other security players before meeting with the CFO to find out what overlaps and redundancies currently exist. The CISO also needs to know how much budget flexibility other executives are willing to give. That will be invaluable information to have while working with the CFO. After meeting with the CFO, the CISO can go back to the other executives and see what they can discuss as a group.
The actual CISO-CFO meeting should be just the two executives, to avoid making the CFO feel put together. The discussion should be as friendly as possible to allow reasonable compromises.
Involvement in the board’s risk committee is critical, as it is ultimately the board’s role – working with the CEO – to dictate the company’s risk tolerance. If the CFO’s requested budget reduction conflicts with that risk tolerance, the board needs to know about it.
“The CISO should meet regularly with the risk committee,” says Wallance. “The business may not understand the implications of budget cuts. It’s not just the CFO that’s talking about it.”
Adapting to Market Conditions
Larger economic trends also affect the CISO’s budget needs.
Something realistic existing threat in cyber insurance, the net CFOs rely on for more than 20 years. Lloyds of London said it would stop covering losses from state actor attackwith the problem of how it is difficult to prove the origin of the attack and who funded it. insurance giant Zurich warned it can leave out cyber insurance entirely. And the The Ohio Supreme Court decision raised the prospect of other cyber insurance limitations. Those changes could dramatically increase pressure on the CFO to better fund security, as the business is now on the hook for the full cost of damages.
A complicating factor is the shortage of cybersecurity talent. As big a gap as some say, it’s true that today’s talent costs more than most budgets allow. So, yes, you’re going to have a hard time finding qualified people, but raise the salary enough and, poof — there’s no more talent shortage.
Richard Haag, the VP for compliance services at consulting firm Intersec Worldwide Inc., maintained that the difficulty of getting enough experienced talent was a strong argument in those discussions with the CFO.
“[I]n security, labor is about the only thing that can possibly be broken. You cannot change firewalls. These agreements are locked,” Haag said. “You have to say ‘I can barely protect your top strategic areas now. With the cuts you want, I just won’t be able to defend your top targets and certainly not your not-so-top targets. I need more people, definitely not less people.'”
Alford also suggests that CISOs point out how they negotiate lower vendor costs. Document this and share with the CFO to demonstrate that the budget is being spent wisely.
“Show your prowess by driving vendor discounts as low as you can get them. CFOs want to know that money is well spent, and ‘we’re getting one heck of a deal’ is doing that well,” Alford said.
Finally, the CISO can also make a case for better security that delivers more revenue. Does increased investment in security make prospective customers more comfortable? Has the lack of security caused some existing customers to leave? For example, if a financial institution chooses to reimburse customers in all fraud situations — instead of what most FIs do, which only reimburses in certain situations — it can boast that its customers is better protected against fraud, which prompts customers to leave competitors. That move would justify higher cybersecurity spending because of the greater acceptance of fraud costs.
“If you can shorten the sales cycle and prove that security gets more sales, it can be very persuasive to CFOs: ‘Today, three customers left, but tomorrow there will be none,'” says by Alford.