# Opener

CSOs and CFOs; The World’s Next Greatest Dynamic Duo

Published by Scott Kannry

One could argue that the World’s greatest conquests, competitions, and challenges are better off when in the hands of a dynamic duo.

Dynamic Duos are pervasive in sports. Growing up in Chicago in the 90s, I would immediately cite Michael Jordan and Scottie Pippen.  Boston sports fans would quickly counter with Tom Brady and Rob Gronkowski, much to the dismay of the rest of the rest of the United States.

History buffs and geopolitical commentators might argue that the Cold War would not have been won without the strong bond and collaboration between Ronald Reagan and Margaret Thatcher.

In the business world, Meta’s global dominance was undoubtedly fostered by the steady hand of Sheryl Sandberg, who knew how to harness Mark Zuckerberg’s creativity.  How about the unparalleled investment success of Warren Buffett and Charlie Munger, who created incredible returns for investors while concurrently drinking Cherry Coke and devouring dangerous amounts of chocolate.

And how could an article about Dynamic Duos get written without speaking to Sci-Fi and Gaming?  Could Link defeat Ganon without Princess Zelda’s powers?  Probably not.  Bowser would likely be the King of the Mushroom Kingdom if it weren’t for Mario and Luigi.  And Darth Vader is an intergalactic ruler without the partnership and teamwork of Han Solo and Chewbacca.

For all of these references, there are dozens more, in all walks of life and fantasy.  Great problems need dynamic duos!

What does all of this have to do with cybersecurity?

Much of late and especially in recent months has been made of the Chief Security Officer’s rise and importance within the enterprise.  And most of it is for the right reasons: cybersecurity is forever more a key enterprise imperative, especially with the role and decisions unpinning security programs coming under heightened scrutiny from company boards, regulators and investors.   There is no question that the CSO’s technical insights, and the significance of the cybersecurity program at an enterprise, deserve this elevated role, and there is no turning back.

However, much has also been made of the need for Chief Security Officers to become business leaders as well.  Some have even argued that without strong business acumen, Chief Security Officers don’t deserve a seat around the executive table.  While some might welcome this challenge and evolve naturally, the challenge can be daunting for others.  It’s not as if bits and bytes translate easily into dollars and cents.

For a moment, take the person and the role out of it.  What the argument is based on, is the need to translate cybersecurity to the business, and that requirement is unquestionable, more so now than ever before.  It’s unquestionable because enterprises don’t have unlimited resources and funds, so being able to understand cybersecurity spending and prioritization under a return-on-investment lens is appropriate.  It’s unquestionable because in a world of “Not if, but when,” businesses need to understand what a successful cybersecurity attack can look like, to minimize the impact and recover as quickly as possible.

So what if, instead of demanding that Chief Security Officers become the business leaders that some, but not all, want to become, enterprises incentivized Chief Security Officers and Chief Financial Officers to become close collaborators and the Dynamic Duo that this great challenge deserves?

There is an incredible amount that Chief Financial Officers can bring to the partnership, and benefits for their roles and responsibilities as well:

  • Business Value Perspective: A key role of the CFO is to understand where business value resides.  What are the greatest sources of revenue, and what are the capabilities enabling that revenue?  What are the businesses’ highest-valued assets?  What other key intangible sources of value exist, and where do they live in the organization?  This perspective is critical to understand in the context of what needs to be most critically protected.
  • Overall Programmatic Purview: While recognizing that the majority of cybersecurity spending is and likely will continue to be allocated to security technology, there are other important areas of spend that are part of the overall cybersecurity program.  For example, legal and regulatory compliance, vendor selection and monitoring, and the cyber insurance program.  All of the costs of these capabilities roll up to the company budget, and the CFO should understand the ROI on each component of the cybersecurity program.
  • Balance Sheet Impact and Protection: The CFO’s key role is to protect the balance sheet, and understanding the potential cost of a significant cyber event needs to be known to the CFO, to understand balance sheet impact.  In large organizations, this knowledge leads to financial protections (such as insurance), and this is also where having a better perspective on potential financial impact can lead to better risk reserve decisions, and sometimes even risk capital relief.
  • Investor Insight and Regulatory Compliance: Thanks to the increase in investor concern about cybersecurity, and newly established rules from the United States Securities and Exchange Commission and others, companies now have heightened obligations to investors and regulators when it comes to disclosing cybersecurity risk, in financial terms.  Who better than the CFO?

With all of these powerful perspectives and responsibilities outlined, it should be easy to see why the CFO should play a key role in the cybersecurity program.  But there is an added critical benefit, in that many of these perspectives and insights, especially knowing where enterprise value resides, and how the business ticks, is the perfect complementary knowledge to enable a Chief Security Officer to drive a better cybersecurity program.

When CFOs and CSOs effectively collaborate along these lines, the Chief Security Officer can more effectively focus on protecting the areas of the business that matter the most and prioritize the protection of the technology and capabilities that drive the greatest business value.  Additionally, the Chief Security Officer can more effectively allocate resources and capability to mitigate the impact of potential events, which is more important than ever before.  Simply put, if you know what a loss could look like, and what the cost drivers are, one can take more effective actions towards minimizing those losses, should they occur.

All of that said, the key question becomes how to enable the partnership.  It sounds like a daunting task but should not be.  This is exactly where an effective and collaboratively utilized cyber risk quantification methodology can create the bond that unites the Chief Security Officer and Chief Financial Officer.  But it must be one that can equally translate the technical perspective of cybersecurity to the financial perspective on the business and be uniquely tuned to the specific business at hand.  After all, when the Chief Security Officer and Chief Financial Officer stand up in front of the Board of Directors, they’ll have to effectively explain where the numbers come from.

The mark of a great partnership and dynamic duo is the complementary nature of capabilities and perspectives, that when combined foster a power to solve a challenge or win a competition that singularly could not be won.  Cybersecurity is one of those great challenges, that should not rest on the shoulders of one person alone.  Here’s to making the CSO and CFO the world’s next greatest Dynamic Duo.

Are you a Cyber-Ready CFO? Looking to be the next great Dynamic Duo? Check out our CFO readiness assessment tool to measure your cyber reporting capabilities. The tool will help you evaluate how well you and the cybersecurity team would:

  • Financially recover from a cyber event, if it happens
  • Measure and defend cyber risk in financial terms, so you can plan and budget ahead
  • Defend your plan and budget to the rest of the C-Suite and board