Today's enterprise security executives face situations that could really hurt the company's bottom line. Security teams are trying to modernize security operations in an increasingly porous network environment with ever more sophisticated threats. There are also economic pressures from layoffs, budget cuts, and restructuring.
Even worse, CFOs have heard from CISOs the doom-and-gloom predictions of the potential fiscal disaster of data breaches so often that it's no longer resonating with them.
The doomer scenario is not hypothetical — global compliance requirements and privacy regulations drive the cost of a breach even higher than just the technical costs. However, CFOs and other C-level executives have heard these warnings so often now that it's just background information that doesn't drive their decision-making.
Is there a more effective way to help the CFO understand why security needs to be far better funded? Yes: Present the CFO with a shared-risk scenario.
Setting Protection Priorities
Allan Alford, who was a CISO in various industries including technology, communications, and business services before morphing into a CISO consultant, says CISOs should use a different approach to describe cybersecurity issues to the CFO. They should begin by asking the CFO to identify the six most important strategic elements of the business — possibly including the supply chain, manufacturing operations, sensitive future product plans, etc. — and then detail their plans for protecting each of those critical areas, Alford says.
The CISO can present the situation to the CFO in the following manner: "Thanks for sharing those priorities. Now, you are saying we need to cut the security budget by 37%. Given the state of the economy in our sectors, that is completely understandable. To make the cuts possible, can you tell me which of these six areas I should stop protecting? We will also need to bring in the line-of-business executive so that you can explain how these changes will impact that area."
Historically, CISOs, CSOs, CROs, and other security-adjacent executives have been good soldiers, accepting the CFO-ordered cuts and deciding where changes have to be made, Alford says. This conflicts with the CISO's job: to protect the company — including all intellectual property and all assets.
If the CFO decides to cut back security funding, they need to work with the COO, the CEO, the board, and other senior executives to decide which operations they can afford to not protect. It should not be left to the CISO to make those calls or defend the choices.
In fairness, the decision is rarely black and white. But if the CISO positions the budget decisions in this manner, the CFO will see the actual business impact the reductions would have. When the CFO is forced to decide where the cuts will happen and to choose which top-priority division is left undefended, the conversation shifts, Alford says. The CISO can say to the CFO, "We'll jointly figure out what risks are tolerable, but make no mistake: A 37% cut will put various units at extreme risk. Can the business afford that deep a cut in our defenses?"
The CISO can present cost-effective alternatives to reduce security defenses, rather than eliminating them entirely. Now there is the possibility of negotiating a smaller budget cut. Maybe that 37% cut becomes a 23% cut.
Negotiating as a Group
The conversation shouldn't begin and end with the CFO, says Daniel Wallance, an associate partner with McKinsey. It should involve the board's risk committee, the CEO, the COO, and other colleagues who have a role in security spending, such as the CIO and the CRO.
"There is also spend coming from risk management [and] compliance on top of IT. I would engage those functions, as they have shared [security] responsibility and they may actually have dedicated resources," Wallance says. "I need this to not be a one-on-one conversation. I want to make it a group."
These conversations with other security executives should happen before and after the CFO meeting, but not during.
The CISO needs to meet with the other security players before meeting with the CFO to learn what overlaps and redundancies currently exist. The CISO also needs to know how much budget flexibility those other executives are willing to offer. That will be crucial information to have while working with the CFO. After meeting with the CFO, the CISO can go back to the other executives and see what they can negotiate as a group.
The actual CISO-CFO meeting should be just the two executives to avoid making the CFO feel ganged up on. The discussion should be as friendly as possible to allow for reasonable compromises.
Involving the board's risk committee is critical, as it is ultimately the board's role — working with the CEO — to dictate the company's risk tolerance. If the CFO's requested budget reductions conflict with that risk tolerance, the board needs to know about it.
"The CISO should be meeting with the risk committee regularly," Wallance says. "The business may not understand the implications of the budget cut. The CFO is not the only person at issue here."
Adapting to Market Conditions
Larger trends in the economy also affect CISO budgetary needs.
There is a realistic existential threat to cyber insurance, the net that CFOs have relied on for more than 20 years. Lloyds of London said that it would stop covering the losses from state actor attacks, which is problematic given how difficult it is to prove an attack's origin and who funded it. Insurance giant Zurich warned it might abandon cyber insurance entirely. And an Ohio Supreme Court decision raised the prospect of other cyber insurance limitations. Those changes could sharply increase the pressure on the CFO to better fund security, given that the enterprise will now be on the hook for the full amount of damages.
A complicating factor is the much-ballyhooed cybersecurity talent shortage. Whether the gap is as big as some say, it's true that the cost of talent today is higher than what most budgets allow. So, yes, you will have difficulty finding qualified people, but increase the salary enough and — poof — no more talent shortage.
Richard Haag, VP for compliance services at consulting firm Intersec Worldwide, maintained that the difficulty in acquiring sufficiently experienced talent is a powerful argument in those CFO discussions.
"[I]n security, labor is about the only thing that can possibly be cut. You can't just swap out firewalls. These agreements are locked in," Haag says. "You need to say, 'I can barely protect your top strategic areas now. With the cuts you want, I simply won't be able to defend your top targets and certainly not your not-so-top targets. I need more people, certainly not fewer people.'"
Alford also suggests the CISO point out how they negotiate lower vendor costs. Document it and share it with the CFO to demonstrate that the budget is being spent wisely.
"Demonstrate your efficiencies by driving vendor discounts as low as you can get them to go," Alford says. "CFOs want to know the money is being well spent, and, 'We got a heck of a deal' does that well."
Finally, the CISO can also make the case for better security delivering more revenue. Does higher security investment make prospective customers more comfortable? Is lack of security making some existing customers leave? For example, if a financial institution chooses to reimburse customers in all fraud situations — rather than what most FIs do, which is to only reimburse in some situations — it could boast that its customers are better protected against fraud, prompting customers to leave competitors. That move would justify higher cybersecurity spend because of the greater acceptance of fraud costs.
"If you can shorten that sales cycle and prove that security gained more sales, it can be highly persuasive to CFOs: 'Today, three customers walked away, but tomorrow none will,'" Alford says.