Aligning IT and Finance on Organizational Risk

Why CISOs and CFOs Should Come Together on Security Validation

The average organization uses 30-70 security tools and can spend millions of dollars to address a single type of attack. Not only has spending on cyber security increased rapidly over the years, but organizations’ security investments can sometimes be greater than the losses the technology is designed to protect. The combination of these two factors and a general lack of understanding of cyber security performance has led some organizations to view it as a black hole; the organization’s board sees money going into cyber security but cannot quantify the impact on operational performance.


CISOs need to rationalize their spending to demonstrate operational competence to the C-suite and board. Undertaking this effectively requires cultivating strategic alliances with peers across the organization to support each business case. For many companies, a connection already exists between CFO and CISO responsibilities, because a firm’s cyber security effectiveness impacts not only the cash flow of a business in terms of losses following an attack, but also stock market transactions. When these fail to flow as the result of a breach, brand trust and valuations can plummet in both public and private markets.

This cross-functional reliance should strengthen as the security rationalization process evolves. A critical factor for success is the ability to understand security needs across the company, which can help ensure the organization’s top-line goals are appropriately served by its workforce and investments.

Screen with code

The CISO’s Focus

The CISO must have a deep and verifiable understanding of the effectiveness of the cyber security stack with full visibility across the entire attack lifecycle, from initial reconnaissance to completed mission. They must provide the board with empiric evidence in three main areas:

  1. How successfully the company’s defenses perform to protect against cyber attacks and how this impacts the organization’s overall risk profile.
  2. What opportunities exist to simplify the security technology stack to maintain or improve security effectiveness and optimize controls and associated ROI.
  3. How cyber security spending can be adjusted to maintain an acceptable level of risk where budgets are under pressure.

With this information, the CISO can work with the CFO to answer the board’s in-depth questions about cyber security protection and the impact on the bottom line.


The CFO’s Focus

Holding ultimate responsibility for the financial efficiency and accuracy of a company, a CFO needs to be confident that the organization’s financial systems are secure. Should a compromise occur, the reliability of financial reporting will be questioned, which can impact the company’s performance and market value. A CFO therefore needs to report to the board on three areas:

  1. How the ROI of the current cyber security stack aligns to the agreed corporate risk profile.
  2. How the organization is recouping its cyber security investment as a whole and within prioritized applications.
  3. How the company cyber security scorecard compares to the financial rationalization of its security spend.

Hard evidence is needed to justify investments and map cyber security spending to the accepted level of risk of the company, specifically for different functional areas, such as executive communications, financial data, remote employees and more.

Although the CFO and CISO may share a broad set of goals, they approach those goals from different angles. A CISO needs to know how effectively threats are being detected, alerted and blocked in relation to the level of risk they are willing to accept, while a CFO needs to clearly see the connection between that level of risk and the effectiveness of security tools to justify spending across people, process and technology to deliver a specific level of security and protect the value of the company.

As cyber security teams sharpen their focus on security validation and rationalization, the roles of the CFO and CISO become more closely aligned. Working together, the CFO and CISO can confidently answer the fiduciary questions of the board and broader financial markets regarding the specific measurable value (such as budgets and stock price) of an organization’s security stack.