A successful relationship between the chief financial officer and chief information security officer (CISO) is critical to helping an organization build a strong cyber defense strategy. When the two work as partners, they are in a unique position to combat cyber risk.
One of the best ways to enhance the CFO-CISO relationship is through regular communication.
“Like with other organizations, check-ins between the CFO and CISO should happen regularly as conditions change, and few things [change] more rapidly than technology and information threats,” said Russ Porter, CFO at the Institute of Management Accountants (IMA), an association for finance professionals. “A CFO doesn’t need to look at many days of headlines to find an excuse to talk about information security.”
The conversation needs to start at the strategic planning stage, said Brian Wenzel, senior vice president and chief financial officer at financial services firm Synchrony. “The CFO and CISO should have ongoing discussions and engagement, including around potential cyber incidents, to ensure business continuity,” he said.
A CFO doesn’t need to look at many days of headlines to find an excuse to talk about information security. — Russ Porter, CFO, Institute of Management Accountants
To prepare for these discussions, the CFO should be following cybersecurity trends, Wenzel said. “It’s also natural for the CFO to reach out to the CISO to ensure that the organization’s investment in cybersecurity is adequate to protect the organization’s infrastructure, given its approach to risk."
For example, a financial services organization that manages thousands of digital payments a day must have capabilities in place to protect highly sensitive customer information and all transactions, Wenzel said.
CFOs and CISOs “have deeply shared interests as key leaders of the business,” said Michael Gordon, CFO at software company MongoDB. “And while they have different areas of expertise, they will start developing better understanding and familiarities with key issues through regular communication.”
Gordon meets weekly with MongoDB’s CISO, Lena Smart. “There is no substitute for regular communication,” he said. “In addition to the formal, structured channels, I have found it most helpful to just talk to Lena and her team about key initiatives, any issues concerning them, and overall trends in security and the business more broadly.”
If possible, conversations between the CISO and chief financial officer should also include the chief privacy officer, said Raj Patel, partner and cybersecurity practice leader at consulting firm Plante Moran. “Each has a role in protecting data and assets,” he said. “The conversation can start simply by scheduling a meeting around it.”
These talks should take place at least quarterly, according to Patel, and should not be focused solely on the budget. “We don’t fight a war on budgets but do what we need to defend ourselves,” he said. “When our organizations get attacked every day, we are in a war. Many finance executives focus on a budget and at times compare it to prior budgets. When it comes to cybersecurity, the focus needs to be on risk, and allocating financial resources should be based on risk.”
When the budget discussion comes up, it’s good to have an idea about what the company needs to invest to sufficiently protect itself.
“The spend should be based upon the risks being guarded against and the changing landscape a company is facing,” Wenzel said. “That said, CFOs must continually evaluate cyber threats and risks and investment so that those risks are guarded against.” The end result is that the level of investment keeps the residual risks at a low/acceptable level, he said.
“I would focus on ‘reasonably sound’ cyber practices versus absolute minimum,” Patel said. “With a minimum, organizations could lean towards a negligent approach. You need to have a diligent approach to managing cybersecurity risks.”
In terms of metrics, Patel suggests determining a range of spending based on a number of areas, such as spending per employee, spending as a percentage of the cost of endpoint devices, spending as a percentage of network infrastructure costs, or spending as a percentage of salary costs.
There is no formula or simple rule of thumb, Gordon said. “The key thing is to make sure you are investing to protect your customers and your business. Of course, you can’t invest in everything. When you are not investing in certain areas or initiatives, it is critical to make sure you understand what risks you are taking and be confident that you and the [security] executive are clear and agree that those steps are appropriate.”
Making Security a Priority
Working together, the CFO and CISO can help ensure cybersecurity is a priority in their organization.
“Cybersecurity and cyber threat preparedness and planning is everybody’s job,” Wenzel said. “To focus a company on security priorities, it is especially important that the CISO has a direct line not only to the CFO, but to the board, the regulators, and so on. These relationships are key if a company is to understand its data security needs, investments, and processes today and in the future.”
At Synchrony, “an effective CFO-CISO relationship helps ensure data security practices are woven throughout every function,” Wenzel said. “It’s important in guiding and managing information security and data privacy budgets and in quantifying cybersecurity risks. Data protection is a top priority that is embedded in everything we do.”
To be most effective, cybersecurity needs to be a shared responsibility, ingrained in every policy, process, and procedure — and reinforced with the C-suite, board, and other stakeholders. “CFOs must think of cybersecurity as a business development arm versus a cost center,” Wenzel said.
CFOs can help implement the CISOs’ suggestions by advocating for security among other organization leaders.
CFOs must think of cybersecurity as a business development arm versus a cost center. — Brian Wenzel, CFO, Synchrony
“This requires communicating the importance of company-wide cybersecurity investments and emphasizing potential risks to the bottom line, as well as potential financial opportunities,” Wenzel said. “CFOs need to be active participants, not observers. Communication goes both ways. I use my professional curiosity and always ask lots of questions of our security team. There’s always an opportunity to learn more.”
The CFO “can be an ally in echoing the key [information] security messages to senior leadership and functions around the organization,” Porter said. “They can highlight the financial risk that is entailed with information leaks, and the value proposition of information security protocols.”
Protecting Financial Resources
A key part of ensuring strong cybersecurity for the entire organization is securing the financial function or department itself. Finance leaders need to lean on CISOs and data privacy officers to perform this function. “They need to support them with financial resources and hold them accountable for implementing effective controls,” Patel said. It might be a good idea to speak with an outside cybersecurity expert to get unbiased information about the organization’s level of risk and vulnerability, he added.
Everyone in the CFO’s organization, especially teams working with highly sensitive data, needs to understand and faithfully implement best practices, Wenzel said. “The CFO and CISO could collaborate on special training for those handling financial data and [personally identifiable information], which is fiercely sought after by hackers and criminals."
Financial organizations “have long been stewards of significant amounts of confidential information, so the CFO can help ensure their own function is compliant and also share some best practices with other organizations,” IMA's Porter said.
CFOs can and should reiterate the critical benefits of information security to their teams, participate in and promote information security education with their teams, assist with testing security protocols throughout the organization, and ensure that processes and procedures are written to incorporate information security into the fabric of the organization, Porter said.