Every chief security executive knows that one of the most important—and perhaps challenging—aspects of the job is getting the funding needed to support the cybersecurity program. The person handing the decision making on budgeting is often the CFO, so CISOs would be wise to learn the best ways to interact with these finance professionals.
“The CFO/treasurer-CISO relationship is critical in understanding how the [organization] measures success, which helps with how best to measure and communicate the cyber threats it faces,” says Arthur Treichel, CISO for the State of Maryland.
Here are some best practices for CISOs when working with the CFO in their organization.
Speak the CFO’s language
CISOs like to use metrics that relate to cybersecurity activity, says Frank Dickson, Security & Trust program vice president at research firm International Data Corp. (IDC). This includes metrics such as the number of alerts addressed, mean time to respond, mean time to remediate, and dwell time.
These are concepts finance chiefs are not likely to be interested in, so there is little point in bringing them up in discussions with these executives. “CFOs are looking for metrics associated with risk and security posture,” Dickson says. “Essentially, CFOs want to know if the organization is ‘safe.’ Communicating security activity information frustrates CFOs, as it does not provide the information that they desire.”
A good practice is for the CISO and CFO to sit down and establish a set of metrics that communicate the needed information, Dickson says. “This does not mean that the CISO teaches the CFO all about cybersecurity,” he says. “It means that a CISO changes the manner in which he or she communicates.”
For security executives, talking to the CFO “can sometimes feel like a challenge,” says Andy Ellis, operating partner at venture capital firm YL Ventures and a former CSO. “The CFO seems to rule over a domain that is entirely about recording hard, factual data. The CISO, on the other hand, is often talking about risk in nebulous, vague terms.”
Leverage data-rich economic models to quantify risk
Along the lines of speaking the CFO’s language, CISOs should use economic models whenever feasible. “Adopting an economic information risk model such as Factor Analysis of Information Risk (FAIR) from the FAIR Institute allows you to express information risk in financial terms the CFO—as well as the rest of the executive team and the board of directors—will easily understand,” says Bradley Schaufenbuel, vice president and CISO at Paychex, a provider of human capital management products.
“Adopting an economic model to quantify information risk has the added benefit of ensuring that you are prioritizing the most impactful risk reduction efforts and optimizing cybersecurity spend, which is ultimately what the CFO wants from the CISO,” Schaufenbuel says.
Economic models should be rich in data. “Due to the nature of their work, most CFOs make data-driven decisions,” Schaufenbuel says. “Data is much more objective and more difficult to manipulate than subjective opinions or hunches. One of the best investments you can make in improving the effectiveness of your messaging to a CFO, as well as other C-suite executives, is to back the points you are making with relevant data.”
Communicate on a regular basis
Once a CISO has mastered the language of the CFO, it’s wise to communicate on a regular basis. Frequent interactions can help keep CFOs apprised of the latest cybersecurity threats, vulnerabilities, tools, standards, etc., and keep CISOs aware of the financial/budgeting situation at the organization.
This is especially true given the fast-changing security landscape, with new threats constantly emerging and new solutions hitting the market. “Communication needs to be proactive and frequent, but also succinct,” Dickson says. CFOs are not interested in becoming cybersecurity experts, he says. They just want assurances that the organization is appropriately protected, and they want to be aware of the risk profile of the organization.
Invest in your own financial literacy
It’s not enough to convey the value of cybersecurity using financial models; CISOs need to understand the workings of finance in order to work effectively with the CFO. “To truly earn his or her seat at the executive table, a CISO needs to be financially literate,” Schaufenbuel says. “If you do not understand the difference between an income statement and a balance sheet and the nuances between an operating expense and a capital investment are a mystery to you, it will be difficult for you to gain the respect of your peers in the C-suite, but especially that of the CFO.”
Getting an MBA degree was easily the best investment Schaufenbuel made in his own professional development, he says. “Where an advanced degree is not practical, some online coursework in basic accounting and finance concepts is better than trying to navigate the C-suite without financial literacy,” he says.
Of course, the CISO can help educate finance leaders and their teams about basic security issues, without getting into the weeds. “In some cases, for me the best relationships with the CFO or treasurer started with an incident,” Treichel says. “Financial employees are an ideal target—phishing/vishing/malware campaigns targeted at employees who can authorize transactions are very common. Taking extra time to educate and work with these teams will reduce risk and build a relationship with the CFO.”
Understand the budget process
In most organizations, CFOs don’t control the budget. They control the budget process, Ellis says. “That’s a subtle, but important, distinction. If your company has an annual budget cycle where the year’s budget is ‘set’ in November, there is a months-long process of drafting the budget in the months before. If you show up in November with a new request for budget, of course you’re going to get pushback, regardless of the importance of your need.”
Even if the company holds back some of the budget for surprises, Ellis says, “you’re making everyone’s job harder, and denigrating their work, by working outside the process.”
When CISOs must work outside the process because of some unexpected urgency, they need to understand the difficulty this is causing and see if they can help. “Odds are, if you need money out of cycle, that has to come from someone else’s budget,” Ellis says.
Don’t neglect planning
Good cybersecurity planning is important in its own right, but it’s especially important for dealings with the CFO and other finance executives. “CFOs hate surprises,” Dickson says. “The last thing that a CFO wants is an unexpected surprise at the end of a fiscal year.”
It’s a good idea to update plans on a regular basis, including anything related to new investments in security tools and services. It’s also good to plan for well into the future. The typical 12-month IT planning cycles have to come to an end, Dickson says. “Plans need to be multi-year and be comprehensive across IT and security,” he says.
Multi-year planning not only can improve the effectiveness of security, but increase predictability, Dickson says. “The threat of unanticipated expenses is drastically reduced,” he says. “Additionally, the threat of unanticipated expenses can also be illuminated, thus the CFO can choose to make allowances.”
Separate subjective and objective analysis
Outside of a few narrow spaces such as fraud, almost all security analysis is subjective, Ellis says. “Even apparently quantitative methods [are] really just pretending,” he says. “Under the covers, it’s really just subjective ratings that then have numbers stapled on top.”
This isn’t unique to security teams, Ellis says. “Financial teams often have forecasts that contain some measure of subjectivity in them,” he says. “But a financial analysis with subjectivity is usually called out, carefully identified, and inspected after the fact if it was inaccurate.”
Security guesses, on the other hand, rarely lend themselves to critical analysis, Ellis says. “CISOs talk about return on security investment using guesses about likelihood that are pulled out of thin air, and then claim credit if something doesn’t go wrong or cast blame on others if it does,” he says. “When talking to a CFO, acknowledging the guesswork that goes into our predictions is a conversation starter. Don’t oversell your predictive ability, and you might find a partner who will have more empathy for your challenges.”