Jun 21, 2022
Talking to the CFO, as a CISO, requires a certain amount of translation, which means understanding the language of the CFO. Financials are the expertise of the CFO, and recording the cold, hard facts on the financial data is their domain.
Now, consider the CISO, whose primary job is to take the complex universe of IT and work alongside their non-IT stakeholders, like the CFO, to get funding to manage their most critical cybersecurity risks, such as the email security program. That requires a special talent for not just translation – but communicating often nebulous concepts and getting buy-in.
The CFO controls the CIO/CISO budget, and that creates an interesting power differential in the conversation, especially when we’re looking for more money. Hard data and crisp communication will help unlock the relationship you need to establish with the CFO.
The next time a conversation with the CFO is on the horizon, a little preparation to level up the CISO-CFO partnership you need to build the security program you want. Here are some tips for successfully interacting with the CFO when you’re a CISO.
The budget process may or may not be owned by the CFO – contrary to popular belief. Often companies have budget cycles where the annual budget is “set” in November by the C-Suite, with the budget process scheduled a few months in advance of finalizing.
Late-comers to this process are going to get pushback, regardless of the need. Working within the set budgeting schedule not only increases the likelihood that you’ll get the budget approved, you’ll also set up goodwill with the executive stakeholders involved – including the CFO. .
Sometimes out of cycle budget requests really are surprisingly urgent, like after a major security breach.
When you need to work outside of the budgeting cycle, understand the CFO’s unique situation and see if you can help. Getting approval on your budget request out of the scheduled cycle means one of two things: if approved, the funds will have to be pulled from another department budget, and if not approved, the C-Suite will have to align on risk tolerance for the new security risks you asked to be mitigated with the budget.
You can make allies with your Finance team if you help deliver that message – especially if the change in risk landscape was unavoidable, and could trigger fines if not managed (i.e. new regulatory compliance requirements). Maybe all you’re doing is explaining the need and the urgency of the request, and getting buy-in, but that’s better than sending your colleagues into the lion’s den without any context.
Many cybersecurity teams like to focus on technology issues, but the process risks that your CFO faces are often more critical.
Learn about the issues caused by forged emails (someone pretending to be your CEO authorizing a funds transfer), compromised vendors (redirecting legitimate payments to an adversary), and third-party vendors with poor security practices (where an entire industry may be sloppy).
It’s a lot easier for a CFO to understand how you are helping the whole company reduce security-related financial impacts if you’re also helping them with tangible examples that directly demonstrate the full scope of your security strategy.
If you’re not supporting the insurance process, that’s a great place to start. Even if your company isn’t buying cybersecurity insurance, your security program can be a selling point in the E&O insurance underwriting process, and you, or a senior member of your team, should visibly engage in the insurance process.
In almost all cases of security analysis, there is a subjective element (such as fraud). Even seemingly quantitative methods like CVSS and FAIR are just pretending to be quantitative. It’s really just subjective ratings with numbers attached to them.
This is not an issue unique to security teams; even financial teams make forecasts that are subject to some degree of subjectivity. In contrast, if the financial analysis is inaccurate, it is typically called out, correctly identified, and inspected afterwards.
Security guesses, on the other hand, are rarely subject to close analysis. CISOs often claim that they have maximized return on security investment (ROSI) by making improbable guesses about likelihood, and then cast blame on others when something does go wrong – it’s a win-win, right?
The acknowledgement of our potential biases in predicting the future is a good conversation starter with a CFO. By keeping your predictive abilities in check, you are more likely to find a partner with the CFO who can understand these types of challenges.
Not every conversation you’re going to have with your CFO is going to be an easy one. But following these three tips will help you build a long term relationship with a business partner who can make your job easier … or much, much, harder.