darren whittingham - Fotolia
3 reasons why CISOs should collaborate more with CFOs
C-suite may not always understand ROI of security efforts, which is why Nabil Hannan suggests that CISOs work more closely with CFOs to learn how to best communicate security's value.
At the end of the day, cybersecurity is a financial issue. Breaches can result in significant financial loss and reputational damage. Consider these statistics:
- The global average cost of a data breach is $3.86 million, according to the "Cost of a Data Breach Report 2020," with the U.S. having the highest average at $8.64 million.
- Another report found that insider threats are the most expensive category of attack to resolve, costing an average of $243,101. And this number is increasing.
- Lastly, in just the first six months of 2020, 3.2 million records were exposed in the 10 biggest breaches -- eight of the breaches occurred at medical or healthcare organizations. Healthcare was deemed the costliest industry by the "Cost of a Data Breach Report" with the average cost of a breach reaching $7.13 million.
Now forget those statistics; push them aside. While it's important to understand the financial aftermath of a breach, security teams need to uncover more proactive methods for communicating the value of their investments with organizational leadership to get buy-in (and funding) upfront. However, communicating the return on investment (ROI) of a security program, in which the results are not always tangible, has proven to be a challenge for security leadership.
The shift to a more proactive security program assessment can only occur if the chief information security officer (CISO) first has a greater voice at the table in the boardroom. As the individual most responsible for ensuring information assets and technologies are adequately protected, the CISO can serve as a bridge between the highly technical voices in infosec and other C-suite executives who are more financially, operationally or innovation focused.
And who among the C-suite can make this shift a reality? The chief financial officer (CFO). CISOs need to establish a stronger relationship with their CFO and financial team to better communicate the value of existing, and future, security investments. Here are three ways -- and reasons why -- the CISO and CFO should work more closely together.
Learn to speak the language the C-suite understands
Data is more valuable than ever, yet it is also more vulnerable than ever. How can CISOs best communicate this heightened value of data security to the leadership team? By speaking in words the C-suite can understand.
If you think about it, both CISOs and CFOs are working toward the same goal: preventing business losses. Engage the CFO in your strategy sessions and build trust on the foundation that you both are striving to reach that goal and face similar challenges -- navigating compliance obligations, working with limited resources and educating others to drive decisions based on risk. Understanding the perspective of the CFO will enable CISOs to better communicate the business case for security initiatives because the organization's financial leader can provide context on managing risk outside of the cybersecurity mindset. As an example, the relationship will help CISOs move away from "here's how X tool will protect against cyber adversaries" language to "here's how X tool will support X business strategy and minimize the risk of our customers' data being stolen by X%."
CFOs are experts in enumerating return on investment. CISOs can use this to their advantage and ask them to help quantify the results of a security program, even if it seems as if the results are intangible on the surface. This must start with defining program metrics.
Identify which metrics will resonate best with leadership
Unlike raw data, metrics provide business context, typically in a ratio or percentage format to help teams track progress. The right metrics allow CISOs to articulate the value of a security program to the C-suite and board members.
As alluded to above, the CISO and CFO are the two executive leadership roles that are most focused on risk management. Together, they can define risk management objectives and anticipate the questions the C-suite may ask about managing risk. The caveat: From my experience, it is common for executives to ask the wrong questions, ones that may result in misleading answers or ones that don't have an answer at all. Enter the CFO to guide the other leaders to ask the right questions. For instance, "wrong" questions could be:
- How does our vulnerability count compare to our competitors? The data to answer this question is often unavailable and it's not apples to apples; your competitors may be taking an entirely different security approach based on their own needs and requirements.
- What is our average time to recover from a security incident? The time to recover depends greatly on the actual incident.
"Right" questions frame cybersecurity as an investment. Questions could include:
- What is the impact on our organization's risk posture?
- What value are we getting from our investment?
- How well are we meeting our compliance requirements?
Effective metrics should answer these questions, ultimately determining the effectiveness of security programs, areas that require additional focus and the need to implement change. Once metrics are identified, what is the best way to monitor outputs that matter?
Keep track of the metrics that matter
It's important to recognize that most metrics will require collaboration with the C-suite in some capacity. Metrics that CFOs will find invaluable when assessing cybersecurity risk and metrics that CFOs can use available resources to help keep track of include:
- Costs related to remediation efforts. Quantify the cost of how much effort is going into remediation to determine the effort expended to fix vulnerabilities. This time and effort are costs to your organization. Track remediation cost metrics, such as personnel costs multiplied by the hours spent, to determine if remediation efforts are improving based on your security investments.
- Resources being allocated to security testing. Measure the investments being made into resources (people, tools andtechnology, processes, etc.). Often, when determining how much money to invest into security testing programs, it's seen as a cost center. Instead, we must have regular discussions with the CFO on how making an investment in preventing a breach and meeting regulatory requirements is significantly less than the cost and damage from being breached or receiving a fine. The CFO can closely track the ROI in security testing and, in turn, see software and systems being built with security in mind, inherently better from a quality and performance perspective.
- Costs of building a secure application. Monitor the cost of all security activities relating to application development. Audit the application development process for vulnerabilities to create efficiencies in building security into an application. CFOs should see the cost of building a secure application rise in the beginning, then decrease as the development teams identify areas of efficiency. And security teams should see fewer vulnerabilities in the software development life cycle as investments increase.
An opportunity to collaborate
In the midst of the COVID-19 pandemic, of the over 250 global CISOs surveyed by McKinsey, more than 70% expected security budgets would shrink by the end of 2020, and plan to ask for significant increases for 2021. As organizations begin or continue their 2021 planning efforts, now is a more critical time than any to collaborate with your CFO. CFOs are not required to be cybersecurity experts, but bringing their perspective to the C-suite may help uncover feasible solutions to the problems that keep CISOs up at night.
About the author
Nabil Hannan is a managing director at NetSPI. He leads the company's consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Nabil has over 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pentesting, secure code review and vulnerability remediation.