A few years before the pandemic, Harvard Business Review published an article stating that CFOs don’t care enough about cybersecurity. Today, the article serves as a milestone dividing the old mentality with our new reality these past two years. Since Covid, a new global threat landscape has materialized, and the notion of “it won’t happen to me” has been thrown out the window. Adversaries want to spy, steal, and sabotage data and critical assets. Everyone is a target. And these days, CFOs must understand cyber exposure with the same level of detail as the board of directors’ audit committee. CFOs need to whizz past the technical complexity of understanding cybersecurity defense and dive deep into risk mitigation in financial terms. Taking the culture of bits and bytes and translating it into financial language often begins by asking these critical questions to the CISO, such as:
- Who are we as a company (our people, processes, and unique technology)?
- How are we vulnerable?
- Are we taking the right steps to mitigate risk?
In the spirit of Valentine’s Day, we’ve compiled four pointers to help you build a strong cybersecurity relationship with your CFO, who is trying to understand cybersecurity and make meaningful decisions.
1. Show that money will be spent on things that matter and eliminate the illusion of frivolity.
CFOs know the price of everything. As a cybersecurity professional, you need to demonstrate the value. Cybersecurity budgets are under more scrutiny these days, not only because of economic uncertainties but also because they are about resilience per dollar spent. When budgeting for a new cybersecurity program or defending an initiative, it’s imperative to focus on the high-impact events that can ruin the business. You must demonstrate how specific technological investments (such as control improvements) reduce exposure to these high-impact events. With thousands of cybersecurity tools on the market, remember to show how your choices will impact the bottom line.
2. Develop a stable relationship by always communicating in risk mitigation language.
Cyber risk mitigation is about defense and balancing the right amount of financial and technical controls over time. In every interaction you have with your CFO, you need to remember that their career lives and dies through the creation of financial statements. As a record keeper of financial history, the CFO will greatly appreciate representations of risk reduction over time that they can tie back to the balance sheet and income statement. This objectively demonstrates how the security organization is taking the right steps and moving in the right direction.
When choosing a cyber risk quantification method, you must ensure the numerical output you present to the board and C-suite is transparent and defensible. We’ve seen black-box approaches that leave CISOs with numbers that are difficult to justify. If you want to speak cybersecurity in dollars and cents (and be taken seriously), get ready to show how your risk calculation was derived!
3. Express a threat profile authentic to reality.
Every company is different. This is why cyber risk quantification is essential to risk mitigation communication. It’s not just understanding your gaps or deficiencies but identifying which ones are easier to target by cybercriminals and result in the most negative impact if they occur. Unique systems, intellectual property, and processes may need to be considered. Cyber risk quantification lets you take those high-publicity events in the news and model them to your organization’s unique technology. CFOs can sleep better at night knowing the worst-case scenario and if it is an acceptable financial risk.
Boards are eager to extract more value from cybersecurity reporting and view relevant risks through a context specific to their unique business operations. The CFO needs to understand cybersecurity on the same financial level and be prepared to defend cybersecurity investments in an evolving threat landscape.
4. Openly disclose and share vulnerable figures to build long-term trust.
CFOs of the past may have accepted cybersecurity in stoplight charts and heatmaps of green, yellow, and red. Today, heatmap reporting from CISOs is insufficient and doesn’t effectively track improvement over time. Report to CFOs in the language of the balance sheet and income statements by quantifying your critical cyber scenarios and demonstrating which control initiatives will best reduce exposure. It’s a way of reporting that is based on objectivity, not just the color you feel. We’ve heard of stories where CISOs consistently report risks “yellow” year over year without providing any specificity on what has changed in the organization for that specific risk. As the cyber risk landscape evolves, so should your financial exposure, as well as the various preventive measures necessary to stay secure.
The CFO and CISO Relationship
We hope these pointers help you build a stronger relationship with your CFO. They are all focused on cutting through the noise and being your true cyber self. A CFO’s love language is dollars and cents, after all. You can more effectively accomplish better cybersecurity communication and take subsequent action.
Interested in seeing how you can report cybersecurity in financial terms? Schedule a call with us, and we’ll give you a tour of Axio360. Our integrated risk management platform can serve as a strong anchor to your cybersecurity program and help you and your team model cyber threat scenarios your CFO can wrap their fingers around.