Good Chief Financial Officers (CFOs) understand that security is a critical part of running a business. But they still have to balance business needs against other company expenses.
As important as it is, cybersecurity is often treated as just another expense line on a very large overall budget plan. Typically, CFOs go to school for business and finance — not IT. They likely don’t have a technical understanding of security, so it probably won’t be a priority for them. People naturally tend to shy away from things they don’t understand.
It’s the responsibility of security professionals to help CFOs understand that even though it’s an expense, infosec is vitally important to the business. It may even take priority over some of the revenue-generating budget items. After all, it’s difficult to retain revenue if the business has no ransomware protection or means of data recovery.
But if you want to get them on the same page, you need to be able to speak their language and make their job easier.
Why Is It So Important to Get Your CFO to Invest in Infosec Tech?
Getting on the same page with your CFO about security spending is important, because information security is a vital component of every enterprise organization. If you can’t effectively collaborate with your CFO to make reasonable decisions and trade-offs, then ultimately it puts the organization at risk.
If your company isn’t investing enough in infosec, you’re potentially creating holes in your organization, which increases the likelihood that some sort of a cybersecurity incident will occur. It can also increase the severity of the incidents, because you might not be prepared to respond to a particular type of incident or attack.
See Things From the CFO’s Perspective
Most security and IT leaders come up through a technical career path, where communication and cross-functional understanding may not be considered critical skills. It doesn’t come naturally to communicate in a way that helps CFOs make informed decisions.
It’s important to remember that information security is a cost to the business. The business’s job is to generate revenue. Our job is to support the business and help the company generate revenue in the most secure ways possible.
Since every expenditure on security is a cost to the business, we need to be willing to make reasonable spending requests and tradeoffs. That may mean not constantly asking for the latest and greatest technologies, because they might not fit in the budget.
Also remember that you’re partners, and not every budget discussion will result in approval of your request. You need to be gracious when it happens — get creative, figure out how to solve problems as best as you can in the meantime, and plan to make a revised request in the future with a stronger business case.
Practical Tips to Get CFOs to Say Yes
Talk in Your Audience’s Language
First and foremost, it’s important to talk in the CFO’s language. Highlight the financial benefits of the solutions you’re presenting. Don’t get lost in technical jargon or try to play the fear, uncertainty and doubt (FUD) card.
For example, if you already have Tanium for infosec solutions and asset management, you can make a case to use Tanium for integrity monitoring as well. It’s a small, incremental expense to add that module, which is much more cost effective than using a different single-purpose tool for integrity monitoring.
This is an appealing solution to a CFO. You’re already paying for Tanium, so it’s not a significant hit to the budget, and it also means they get to eliminate a vendor and reduce the agent count by removing a more expensive single-purpose tool.
Plan Ahead
Nobody likes surprises, CFOs included. In larger companies, there’s always a well-defined budget cycle. Planning usually takes place at the end of the third quarter or the beginning of the fourth quarter.
If you show up two months after the end of that budget planning cycle and ask your CFO for a $2 million upgrade that wasn’t in that budget, it’s not going to go well.
You’ve just made an opponent, you’ve blown the budget, and you aren’t showing that you’re a capable leader, because you couldn’t be bothered to plan during the regular funding cycle.
Be Realistic
Infosec is important, but at the end of the day, it’s a service to the business. Security professionals can often lose sight of the fact that without the business, there is no need for security.
Be reasonable about your spending. If you’re asking for a $6 million infosec budget and you only have $10 million in revenue, that’s probably not very realistic.
There are many benchmarks out there about Infosec’s spending as a percent of revenue. Follow those guidelines, and be realistic.
Be a Good Business Partner
Security very much needs to be a partnership. Unless you’re an infosec vendor, security is not a revenue-generating organization — security budgets are entirely made up of expenses.
Be good partners with all the heads at the table, including the CFO. If you try to strongarm your business partners, it’s just going to make for a poor working relationship.
That means being considerate with your asks. If the security technology you have works, maybe you don’t need the new thing right away. Or maybe you wait, because right now it’s brand new and very expensive. Perhaps you make some tweaks to the existing tech to get by, filling gaps that were identified by this new tech until it comes down in price.
Take a Risk-Based Approach to Spending
Most importantly, help your CFO to take a risk-based approach to funding infosec. I recommend taking a page out of the manufacturing Failure Modes and Effects Analysis handbook.
With FMEAs, you categorize your risks. You consider the likelihood that a certain risk will occur, and you consider what the severity of that risk is.
You definitely need to address risks that have both a high likelihood and a high severity. Risks that only have a high severity may be accepted and not mitigated if they’re very unlikely to occur.
When you talk through your risk-based approach with your CFO, address the financial risks. If your business suffers a ransomware attack and you don’t have backups, it’s going to take you weeks to restore manually and rebuild everything.
If you need to close down during that time, that’s weeks, if not months, of revenue lost. When compared with the relatively low cost of an effective backup solution, that’s language any CFO can understand.
Make a Solid Business Case to Your CFO
Talking to your CFO might be a daunting task, but if you follow this guide, you’ll be able to make a solid business case for your infosec needs.
To learn more about the biggest topics in cybersecurity, subscribe to our blog. Black Kilt’s experts provide industry-leading news and advice to help your business’s cybersecurity stay current.