Why the CFO and CISO need to get along

Business exists as a system to capture and expand revenue. At the heart of this system is the relationship between the CFO and the CISO. The CFO is eager to remove all barriers to revenue. In many cases, removing those barriers make the business harder for the CISO to protect. Success in the near future for businesses will be dictated in large part by the abilities of the CFO and to CISO to figure this out.

The rubber hits the road in this arena when it comes to reporting cyber risk to the board. I attended a session at RSA 2018 which focused on this very topic. There were two striking takeaways from this discussion:

1) Reporting cyber risk to the board is a universal issue (regardless of industry or size of company). It was clear from conversation that communicating cyber risks to non-technical professionals is a need-to-have, not a nice-to-have. This came out loud and clear, independent of size of company or industry.

Also, based on the vast sea of consultants in attendance who “advised Boards on how to understand Cyber” or vice versa “advised CISOs on how to communicate outside of IT,” one might conclude that CISOs speak a language far removed from the King’s English.

2) There are two groups of CISOs. Based on conversations with dozens of CISOs throughout the RSA week, the idea of CISOs fitting into two camps becomes clear. These two camps are:

  1. CISOs who had established open communication with their CFO, and
  2. CISOs who had not

Both groups shared similar challenges:

  1. Limited resources to deal with unlimited threats
  2. Tension between the security of the network versus the speed and openness required from the network for business optimization
  3. Audit and Regulatory requirements versus user behavior and business processes
  4. Knowing the most important thing to do next from an infinite list of important things

Group A had a way forward and knew where to focus and what the Board needed and had zero problems with the Board.

Group B lived a Kafka-like existence of never knowing what they were supposed to do and were reduced to a compliance focus. Comments from this group took the air of “We try to comply with known best practices and compliance framework and hope for the best.”

Compliance is important.  However, the 17 month average tenure of a CISO is more related to communication issues than technology or compliance issues. “But, we were compliant!” is not going to stop them from asking you to pack your stuff up. “I need it to be compliant.” is not going to get you that additional $100k of budget to plug up a security hole.

So while the CISO speaks CVEs, BOTs and Remediation and the CFO speaks SEC, Revenue, and ROI and one watches Homeland and the other watches Billions on Sunday night, CISOs and CFOs actually have a lot in common:

  1. Both are tasked with marshalling limited resources to enable the highest productivity possible
  2. Both deal with a changing risk landscapes and tolerance
  3. Both identify and model risks and their effects on the business
  4. Both handle the company’s most sensitive data

The company’s bottom line is the responsibility of the CFO and the data assets and engines of productivity controlled by the CIO and the CISO have the greatest effect on that bottom line. There should be no greater allies internally than the CFO and the CISO since the CFO has the greatest interest in ensuring the cybersecurity of the company in that it secures their bottom line. Indeed the CFO is typically the most targeted individual at an organization for cyber attacks and social engineering.

The CISO and CFO relationship is a complex one and will certainly serve as fodder for many a future blog posts. But complexities aside, they are natural allies whose interests are far too aligned for them to not be marching in the same direction. Some of the best opportunities to facilitate this alliance, I have listed below.

Going forward, some opportunities for CISOs and CFOs are:

  1. Communicate Risk in terms of Cost.
  2. Communicate Mitigations and Security enhancements in terms of their ROI to the business.
  3. Realize the Board understands scenarios not technology. Build the business scenarios that the security compromise creates.
  4. Meet regularly. The CISO needs to understand the most important applications and data related to the revenue. The CFO needs to understand the technology and risk specific to those applications and how they can be improved.
  5. Collaborate on reporting to the board.

Interested in reading more of our blogs? Read about Dealing With Limited Resources In Cybersecurity next.