How to convince the CFO of the budgetary security need

It had been custom for organizations to think of cyber security in terms of an information technology (IT) problem best left to IT people to address and fix. However, as more prolific breaches were publicized exposing a variety of sensitive personal, financial, and intellectual property-related data, it became clear that this was a rather myopic view in today’s increasingly interconnected world.

It had been custom for organizations to think of cybersecurity in terms of an information technology (IT) problem best left to IT people to address and fix. However, as more prolific breaches were publicized exposing a variety of sensitive personal, financial, and intellectual property-related data, it became clear that this was a rather myopic view in today’s increasingly interconnected world.

Cybersecurity needed to be a part of the business enterprise and not just an afterthought or complementary side-function. Since most businesses have a public-facing side and are reliant on organization and/or customer patronage, being able to protect their interests as well as the company’s becomes a symbiotic effort underpinned by a solid cyber security strategy. Identifying key information assets and processes and devising the appropriate security apparatus around them is a best-practices approach to securing the most critical components.

An organization’s Chief Financial Officer (CFO) is the individual focused on managing the financial risks that face the company. In this role, the CFO is in charge of financial planning and reporting up the chain as required. The CFO’s role is critical in the planning process particularly with regards to the budget. That individual will have insight into all facets of the organization, key initiatives, and any significant costs that may affect the organization in the near term. They will likely have input into the overall strategy of the company, as well as its vision and mission statement.

It is important that the CFO understand an organization’s cyber security needs by working with the Chief Security Officer and/or Chief Information Security Officer. Helping to educate the CFO on the nature of the threats, as well as their potential impacts against the organization’s business process, production, customer relations, and public perception will better inform them as to how to address security needs within a risk management environment. Since it is nearly impossible for organizations to protect all aspects of their enterprise, working with the CFO to prioritize threats by severity, potential impact, and cost-benefit analysis is an integral endeavor for security personnel looking to receive a budget that fits their needs.

There are some encouraging signs that the gap between CFO and CSO/CISO is narrowing. According to a 2015 survey conducted of 100 U.S. technology CFOs by BDO USA, a leading association of accounting, consulting, and professional service firms, two-thirds said they have increased cyber security measures for their respective organizations since the preceding year.

These findings are not alone. A separate survey conducted by CFO Signals in 2015 found that of 103 CFOs polled, 74 percent ranked cyber security as their top priority, demonstrating that not only are CFOs getting the need to invest in cybersecurity, they are understanding that they have a role in it as well.

After all, there is increasing focus on the C-Suite when breaches have made the news and consumers look for those responsible to be held accountable. In the wake of the Target, Ashley Madison, and Sony breaches that resulted in their respective Chief Executive Officers (CEO) stepping down or being removed from their positions, the major takeaway is that senior officers are not immune from repercussion. This caution extends to all of the C-Suite as well.

A lesson that CFOs can take from these examples is not to cut back on security expenses but be willing to ensure that there is appropriate funding available to ensure requisite security is in place, as the alternative may be to find other employment if post-breach investigations discover that sufficient funds weren’t allocated.

So how does one advocate for the appropriate cybersecurity budget from the CFO? Here are some proactive steps to help the CFO understand your organization’s cyber threat footprint:

  • Self-awareness. Helping the CFO understand the organization in terms of the types of goods and services it provides, its customer base, and its global presence brings greater self-awareness to what and how the organization does what it does. This is important in identifying those critical informational assets and accesses that the organization cannot function without, thereby helping to identify and prioritize what needs to be protected.
  • Know the threat: For some organizations, they are targeted by all types of threat actors ranging from hacktivists to cyber criminals to cyber espionage teams. Others may be targeted by one group more than another. Knowing the threat, who they are, what they are after, and how they operate will help identify devices and services to implement against them. Taking proactive measures to defend against attacks that target the industry your organization is in will reduce costs associated with breach response, mitigation, and remediation on the back end.
  • Invest in the organization’s cyber security strategy. As the CFO has an understanding of budgets, being able to dedicate some funding toward the organization’s cyber security strategy. While some cyber security components are product driven and are integrated into the network architecture, investing in services such as annual penetration testing, frequent user training and education, and testing incident response and contingency planning will better prepare the organization to prepare for risk.

Today’s reality is that C-Suite members cannot operate independently of one another and that the more integrated senior leadership is, the better positioned an organization is to make strategic decisions that benefit the company. Cyber security is no longer an IT responsibility and everyone at the top must assume an important role in safeguarding the organization, its assets, and its customer’s interests. The CFO is a linchpin in this process because by understanding the entire company’s threat landscape, funds can be allocated accordingly using a risk management cost-benefit model tailored to and representative of the company’s needs. CFOs can keep cybersecurity at the forefront of the CEOs concerns where it belongs.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brian Contos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts