The Chief Financial Officer's job is to ensure that the company is managing finances appropriately, tracking cash flow, improving shareholder value, optimizing investments across all departments and making sure the company has strong return of investment (ROI) for existing capital and operational expenditures.
I had a conversation with Tony Bowen, the CFO at H&R Block, who gave me better insight on how financial leaders think, and what they expect when dealing with cybersecurity investments.
When you work with the security leader of a company, outside of a preventing a breach, what is your biggest expectation of them? What do you hope they focus time and energy on?
"It goes without saying, but, do everything possible to prevent the breach. Ultimately, my expectation is that the CISO provides the right level of security, and personal safety, while still allowing people to be productive and get their jobs done. Be as secure as we can be, within a reasonable budget and deploy technology that works."
What do you believe would make CISO's most successful in working with a CFO?
"First, communication. Articulate the state of the environment, the threats we are protecting against, what needs to be done and what level of security we will have in the end. Also, be transparent, don't try and sugar coat things. Say it like it is…this is what we know and what we don't know. Second, trust is critical in the relationship. I need to believe the CISO is being transparent with me and that they have the ability to deliver on expectations.”
What is your expectation of a CISO in how they ask for money? Do you expect CISO's to quantify a ROI on investments the business makes into cybersecurity? If so, how do you prefer them to articulate the value of an investment?
“In my opinion, there is no way, or it’s very difficult, that you can effectively quantify the ROI on cybersecurity investments. However, tangible benefits can be measured in other ways. As an example, make sure the KPI's are relative to the most important things. Are we spending money to help protect us from the biggest threats to our business and doing it as efficiently as possible? If we are going to have a problem, where is it going to come from, what is needed to protect us from those threats and how long will it take to get there? In the end, show it. Present good ideas, develop a roadmap, implement those ideas and you will continue to get investment.”
CISO Action Plan – Working with CFO’s
- Understand your threat model; who wants what you have, why and how they will try and get it.
- Build a roadmap that maps to the threat model, what you need for compliance and what the business needs to be successful.
- Define measures of success for projects and KPI’s that measure the effectiveness of the controls over time.
- Don’t wait; execution is critical. Show value of the investments, incrementally, over time.
Just like you, CFO’s are focused on protecting the company’s best interest and creating both short-term and long-term value for the business. However, it doesn’t mean you will always get what you require, want or need for your program. That is why this is single-handedly one of the most important relationships you can develop in the C-Suite. If you are a CISO and would like more information on MSSP services, contact us today.