The CFO and chief information security officer (CISO) have not always seen eye to eye. One is driven by cost management and profitability, the other by digital security and infrastructure.
A lack of understanding between the two roles has been a cause of friction. Two-thirds (66%) of CFOs don’t fully understand the CISO role and have difficulty seeing the tangible return on cyber investment, a survey by FTI consulting found.
“There’s always been some misalignment,” observes Martin Greenfield, CEO at cybersecurity firm Quod Orbis. “This disconnect can often be attributed to a lack of common language and understanding between the two.”
But the current landscape demands collaboration. Cyber attack methods are becoming increasingly sophisticated and the global average cost of a data breach has now reached $4.88m (£3.71m), according to the latest IBM and Ponemon Institute report – the highest amount ever recorded by the report.
Bridging the communication gap between the CFO and CISO will be crucial for organisations to effectively mitigate cyber risk.
Why CFOs and CISOs need to collaborate
While cybersecurity does not fall within the traditional remit of the CFO, they are experts in risk management. This makes them natural allies of the CISO, who is responsible for ensuring that cyber risks are mitigated against.
They have the same objectives but are coming at it from different angles, explains Rob O’Connor, CISO at software group Insight. “Cyber risk is just another form of business risk and probably one of the most hazardous,” he says. “Fines from regulators and ransomware events can result in an organisation’s downfall, so it is critical for the CFO and CISO to have a good working relationship.”
Joint board-level messaging is also the only way to secure buy-in for cyber initiatives. The CFO is uniquely positioned to decide the risk tolerance of the organisation. They look at the regulatory environment, the financial capacity of the organisation to absorb losses, their strategic objectives and market conditions to determine the level of acceptable risk. “This forms the basis for everything the CISO is trying to achieve – so it must be communicated clearly,” stresses O’ Connor.
Very rarely do CFOs and CISOs have face time, unless there is an urgent issue
Security risks don’t reside in one department and neither should the role of the CISO, adds Ron Kisling, CFO at Fastly. “Effective security in today’s world isn’t just about product and engineering; it’s also about the people we work with, the partners we choose and the tools and applications we use. The resource planning process, procurement, and engagement with third parties – all decisions typically overseen by the CFO – must involve the CISO to ensure a secure business.”
When the finance and IT departments operate in silos, it can lead to a lack of coordination and a failure to make the most of each other’s expertise and insights.
CFOs also have a significant influence on where money is funnelled and clear input from the CISO is required to navigate the complexities and nuances of cybersecurity. Cybersecurity is not simply a matter of increasing the amount spent on tools, skills or policies.
As O’Connor points out: “There is a misconception in security that more is always better. This is not true. Security always requires a balance between cost, usability and agility. The aim of the CISO is to find the right security and this will look different for every organisation.”
The financial modelling skills of a CFO and the security expertise of the CISO mean these roles should help them agree on acceptable ranges and assumptions.
How to build a common language
CFOs and CISOs have a common objective – managing risk. But to work well together, they need to learn to speak the same language.
A CISO needs to be able to talk about cybersecurity in terms of business decisions and impact, says Greenfield. “This means communicating their requests for budget not in technical terms, but in terms of risk, such as brand protection or share price protection.”
CFOs, on the other hand, who are used to seeing business cases with clear cost and benefits projections, need to understand that while the cost of a security initiative might be known, the risk and impact of the breach it might prevent are much harder to calculate.
Anjana Mistry is CFO at digital consultancy Emergn. She believes the onus is on finance chiefs to listen CISOs concerns. “A bit of humility is sometimes required – CFOs need to recognise that accountants are not IT experts. They need to listen to what the CISO has to say, try to understand what their process is and be a part of it.”
One way to cultivate a shared language and understanding around cybersecurity is to create joint risk assessments that align cybersecurity investments with business priorities. This could also incorporate metrics that demonstrate the return on security investments. Collaborative reporting and joint cybersecurity training sessions also serve as a good foundation for ongoing communication between these roles.
Timing matters
Ensuring a regular cadence of meetings is critical. The CISO and CFO should not only meet when there is an emergency or when it is time to ask for additional budget.
As O’Connor explains: “It is the CISO’s responsibility to have a forward-looking view of the landscape they are operating in. There will always be unforeseeable events which require emergency action but where the CISO knows action needs to be taken, they should give the CFO the maximum possible notice for budgeting purposes.”
CFOs need to recognise that accountants are not IT experts
Likewise, to enable more productive discussions, the CFO should be more proactive in following cybersecurity trends, adds O’Connor. “They should also understand that there is always a level of uncertainty in security and a proportion of the budget should be set aside to be able to respond to these events.”
Given the pace at which new regulations and vulnerabilities are emerging in the cybersecurity space, Greenfield believes there needs to be much more frequent touchpoints between the CFO and CISO. “Very rarely do the two leaders have face time – unless there is an urgent issue.”
He recommends they should aim to meet for 15 to 20 minutes at least once a month. Catching up on a more regular basis, even if it’s just for a short time, can also help to build trust and establish a sense of familiarity over the long term.
What businesses stand to gain
The wider business can benefit from CFOs viewing security leaders and their demands as more than just a hit to the bottom line. By involving them early in the strategic direction of the business, CISOs may be able to help position cybersecurity as an enabler, not just a defence mechanism.
“If the business wants to open up new markets in Asia, then the CISO will need time to understand the various compliance requirements in this area and implement the right controls and auditing,” says O’Connor. “Ultimately, this could be a real competitive advantage when bidding for work in this new region.”
It has also been proven that companies with strong cybersecurity ratings outperform their peers. Companies with advanced cybersecurity performance create 372% higher shareholder return compared to their peers with a “basic” security performance, a report by software firm Diligent found. Cybersecurity is now a metric used to determine the value of the company and can contribute to the share value of a firm.
In Mistry’s view, a unified approach that integrates perspectives from both finance and IT can also foster a stronger security culture. “When the CFO takes more ownership of cybersecurity, the rest of the organisation is likely to follow suit. It takes the issue outside of the confines of the IT department and brings credibility to the cause.”
As regulation gets more strict, the CFO and CISO will find themselves working even closer together. Recent SEC rule changes in the US, for instance, means that listed companies need to include statements around cybersecurity risk management in their annual filings.
To continue keeping their organisations safe, compliant and competitive, these two leaders are going to have to get used to spending more time together and establishing clear lines of communication.
