The CFO and Cybersecurity ROI

Published by Scott Kannry

Welcome to Axio’s 2020 resolution series.  In the spirit of the holidays and with an eye towards being more practical than offering a set of predictions that may or may not come true, we’re instead offering one New Year’s resolution suggestion per week for each of the next four weeks.  As you’ll read over the next month, each resolution is geared towards a specific person or group of individuals, each of whom plays a critical role towards cybersecurity.  We’ll start this week with the CFO, who we resolve in 2020 will achieve “Investability.”

Starting with the CFO and Their Budget Considerations…

We have a hunch that you’ve just wrapped the dreaded annual budget cycle, and where over the past few weeks, you’ve had to adjudicate budget requests from different people for distinctly differently things.  Keeping in mind of course, that we’re exclusively talking about cybersecurity.

The CSO wants new technologies, many of which are very expensive. He or she may have even broken out the heat map that gets presented to the Board and reminded you that the Board doesn’t like red boxes, so a lot of the requests are geared towards turning those reds to yellows.  That probably got under your skin; you enjoy the precision of numbers in your role and the CSO makes decisions on colors?!?

Beyond that the legal team anticipates having to retain more specialized attorneys given the new wave of privacy regulations coming into effect, and those folks aren’t cheap either.  And that’s effectively another “must have” because your CEO doesn’t want his or her name in the paper along with the recognition that your company is one of the first violators.

Finally, add the risk manager to the mix, who just presented the budget for the insurance program, and of course they want additional funds for higher cyber insurance limits.   There again, you don’t’ have much choice, right?  Who wants to be latest example of a company that only had insurance coverage for one tenth of their loss, when the hindsight analysis is going to easily show how the size of the loss was very much in the realm of possibilities?

Does any of all of this sound familiar?  Did you enter the budget cycle hoping that 2020 might finally be the year of keeping the cybersecurity budget flat, only to have your hopes dashed yet again?  Or, were you one of the CFO’s that has found a way to equate all of the dynamics and adjudicate the budget cycle cost effectively and with confidence, achieving cybersecurity investability?

Understand Risk Through Financial Terms by Utilizing Quantification Frameworks

The key to the latter results from being able to contextualize all of the distinctly different components and asks, similar to how the balance sheet serves that purpose in the financial world.  For cybersecurity, that harmony can be found by deploying a cyber risk quantification framework that can allow the organization to understand its risk in financial terms, the universally understood language of business. Here’s a snapshot of how it works in practice:

1. Understand what types of cybersecurity events can occur based on how the business uses technology.

Many will be malicious in nature but don’t forget events that are just technological failings.

2. Determine the cost of the events above. 

After understanding the types of things that can happen (effectively, cybersecurity event “narratives”), use operational data to estimate the cost of those events.  For example, you can discern how much a theft of funds event would cost by understanding the levels of funds transfer authority, or the loss of revenue based on the hourly run rate of a revenue producing asset that is out of service, or the value of your entire technology infrastructure if you suffer a “bricking” attack.

3. Rank the narratives according to financial impact significance.

This will allow you to get your harmonization function. Now, the question becomes, what risk is the funds request geared towards protecting?  Is the risk behind that red square a $1M event but the risk behind a yellow square a $100M event, which would allow you to draw the conclusion that turning a yellow square to green is a much better investment? How about the insurance request?  Is the type of coverage that you are being asked to buy more of providing coverage for your most significant scenarios, or might it be that one of the traditional coverage types has a hole in it that would leave a component of your biggest loss scenario coming out of your own pocket?

Better yet, when investments are matched to exposures in the way we’ve suggested, you can start to make cybersecurity investment decisions based on risk reduction/protection ROI, a CFO’s dream.  For example, is a better cybersecurity investment one that costs $10,000 and eliminates a $10M type of event from occurring, or one that costs $15,000 and only reduces the probability of a $250,000 event from occurring?  Certainly the $10,000 is the better alternative, but perhaps you now can justify not making the $15,000 investment at all.  Instead of spending $25,000 to turn boxes from red to yellow, you’ve invested $10,000 to eliminate $10M of cyber risk.  That’s something to brag about the next Board Meeting and in your year-end review!

All told, utilizing a cyber risk quantification methodology can provide this level of insight, drive more effective decisioning, and thus make the 2020 budget cycle a lot less painful than ever before, with better results to bear.  That’s investability for cybersecurity and an achievable 2020 resolution for CFOs.

Ask your typical private equity executive how he or she evaluates and manages the financial performance of their portfolio, and you’ll nearly certainly get a response along the lines of “We invest in companies that have solid assets, but not fulfilling their entire potential, we’ll deploy mature management and operational strategies, set financial performance targets…

“One of the areas where I think we’re having a lot of success is helping the tech individuals speak business. Before, they say, ‘…we’ve identified these five risks that are all red on my chart,’ which means nothing to a CFO or CEO. We’re putting a tool in their hands where they can quantify those…