The average organization uses 30-70 security tools and can spend millions of dollars to address a single type of attack. Not only has spending on cyber security increased rapidly over the years, but organizations’ security investments can sometimes be greater than the losses the technology is designed to protect. The combination of these two factors and a general lack of understanding of cyber security performance has led some organizations to view it as a black hole; the organization’s board sees money going into cyber security but cannot quantify the impact on operational performance.LEARN MORE >
CISOs need to rationalize their spending to demonstrate operational competence to the C-suite and board. Undertaking this effectively requires cultivating strategic alliances with peers across the organization to support each business case. For many companies, a connection already exists between CFO and CISO responsibilities, because a firm’s cyber security effectiveness impacts not only the cash flow of a business in terms of losses following an attack, but also stock market transactions. When these fail to flow as the result of a breach, brand trust and valuations can plummet in both public and private markets.
This cross-functional reliance should strengthen as the security rationalization process evolves. A critical factor for success is the ability to understand security needs across the company, which can help ensure the organization’s top-line goals are appropriately served by its workforce and investments.
The CISO’s Focus
The CISO must have a deep and verifiable understanding of the effectiveness of the cyber security stack with full visibility across the entire attack lifecycle, from initial reconnaissance to completed mission. They must provide the board with empiric evidence in three main areas:
With this information, the CISO can work with the CFO to answer the board’s in-depth questions about cyber security protection and the impact on the bottom line.
The CFO’s Focus
Holding ultimate responsibility for the financial efficiency and accuracy of a company, a CFO needs to be confident that the organization’s financial systems are secure. Should a compromise occur, the reliability of financial reporting will be questioned, which can impact the company’s performance and market value. A CFO therefore needs to report to the board on three areas:
Although the CFO and CISO may share a broad set of goals, they approach those goals from different angles. A CISO needs to know how effectively threats are being detected, alerted and blocked in relation to the level of risk they are willing to accept, while a CFO needs to clearly see the connection between that level of risk and the effectiveness of security tools to justify spending across people, process and technology to deliver a specific level of security and protect the value of the company.
As cyber security teams sharpen their focus on security validation and rationalization, the roles of the CFO and CISO become more closely aligned. Working together, the CFO and CISO can confidently answer the fiduciary questions of the board and broader financial markets regarding the specific measurable value (such as budgets and stock price) of an organization’s security stack.LEARN MORE >