How to make the CFO your best cybersecurity friend

Get a copy of the upcoming book "Secure Operations Technology"

I’m bad dinner company. As the CFO of a cloud technology provider, I like to speak about finance and cybersecurity, two topics entirely capable of putting my dinner guests to sleep. However, both topics are extremely important in today’s business world and are inextricably linked. Good cybersecurity is expensive, and bad cybersecurity is, well… even more expensive.

If you are not a cybergeek, it can be very difficult to tell the difference between the good stuff and the bad stuff, until something bad happens. Therefore, it’s very important to be able to clearly illustrate the ROI of any cybersecurity project to your CFO so he or she can rationalize the level of spending that good security requires. Allow me to explain what information CFOs are looking for before they write the check.

Spend more on cyber policy management and less on high-end CapEx

I’m often amazed at the amount of capital expended on high-end security appliances, with little thought of how those tools will be managed once installed. Essentially, this is what CFOs call “ROI.” We see this often when we migrate clients onto our platform – we see so much technology go to the junk heap because of over-purchasing. Don’t bring a cannon to a fistfight.

This is not to say that all of the bells and whistles included in these offerings are not potentially useful and protective, but without a fully qualified pilot in the cockpit to operate and navigate all of the functionality, much of it ends up unused, or worse yet misused, resulting in false positives and corresponding organizational inefficiencies.

CFOs would rather see fewer CapEx dollars spent on cyber investments, offset by more dollars spent on qualified professionals and organizational structure to manage those investments. Ultimately, this will yield a higher ROI.

If you are outsourcing your cloud services and security, it’s important to assess whether the provider has the financial and technical wherewithal to purchase the full menu of high-end appliances and, more importantly, employ a small army of engineers, whose sole purpose lies in the proper and efficient management of these devices on behalf of its clients.

Understand that your CFO looks at cybersecurity spending like corporate insurance

Cybersecurity investments often behave in a similar way to corporate insurance policies, although I think we can agree that these days we are much more likely to have a data breach than a fire or earthquake. Just like with insurance, cyber investments are money spent to protect against an unlikely-to-happen threat. We can’t take that chance, however slim, so we allocate scarce dollars to protect or compensate us should the worst occur.

When we buy insurance, we make trade-off decisions because to completely insure our business against every event would cost us more than we make in revenue. The same goes for cyber tools – a technologist could literally spend the entire P&L on protecting against cyber attacks. So we must be selective. CISOs beware: CFOs look at cyber spending as they do insurance, which is to say probabilistically. This is quite different from a technologist’s approach, which is to put as much firepower between the company and potential harm as possible.

Your CFO wants you to identify different types of cyber investments that might cover the same risks, or even be covered by implementing better policy. The already crowded space of vendors selling fear grows larger every day. Many of the technologies they are selling overlap with other technology that may already be in place. Make sure that your technology/security team can clearly articulate to the CFO what the various cyber investments are meant to defend against, and how they interact with one another. Provide the CFO with a protocol for purchasing cyber defenses that follow a standard for the who, what, why, where, how, and how much for every solution you recommend. The blanket statement “because it will make us safer” is unacceptable given the dollars at stake, and should not be cause fot the CFO to write a blank check.

More and more companies are spending significant dollars to protect against hackers. If you are one of these companies and you also spend dollars on cyber E&O insurance, consider approaching your carrier or broker for a discount. Much like being a non-smoker may reduce your health insurance premiums, so should having a a robust cybersecurity program reduce your corporate premiums.

Make cybersecurity work for your HR managers

Be sure to illustrate to your CFO how useful cyber tools can be across the firm, thereby increasing utility and ROI.

Many people think that cybersecurity is a bunch of expensive appliances and intrusion detection software, and sometimes this is true. But the biggest mistake that firms make is to invest in these tools and then let them sit exclusively under the purview of the technology team, or worse yet, installed with no hands-on management at all.

While these tools generally have a passive role, scanning or waiting for an event before leaping into action, the data that they analyze can be extremely useful to other areas of your company – if translated, summarized and communicated to the right people. An example of this is web filtering through an advanced firewall. Ostensibly, the purpose is to prevent employees from accessing sites with malicious potential. But in the course of scanning and blocking these sites, firewalls collect information on traffic to all of the other sites that employees are visiting. Thus, if presented clearly to an HR manager, this data could result in useful business intelligence around employee productivity. Trust me, the employee juggling seven fantasy football teams is not a great contributor to your firm.