Much deliberation has been given to the question of where the CISO fits in an organization. Who should the CISO report to, and why? According to a study by Global Risk Advisors, currently 40 percent of CISOs report into the CIO, and 22 percent report into the CEO, so much of the industry debate has focused there. However, 8 percent of CISOs report into the CFO, and that is the relationship we will focus on now. Even if the CISO does not report into the CFO directly, most CISOs have a dotted line into the finance department, and at a minimum most CISOs partner closely with the CFO on issues related to risk mitigation and data protection.
In fact, the CFO can often be the CISO’s best friend and biggest cheerleader. After all, Bank of America’s security department did not get a blank check for security in 2015 without the CFO being on board with their efforts. The CFO in any company has a unique interest in information security both because of their fiduciary responsibility to protect revenue and their role as a steward of data.
The 2015 Deloitte CFO Signals report states that 25 percent of CFOs feel their organizations are insufficiently prepared for cyber-attacks and malicious threats. So, we know the CFO is worried about information security. But, to be clear, most CFOs do not want to take ownership of the information security function, and that is the most likely reason only 8 percent of CISOs report into the CFO. “I haven’t met a CFO who enjoys having information security on their plate,” says Nick Araco, CEO of the CFO Alliance. “Most CFOs do not want the CISO to report to them. But they do want to create a collaborative culture across the C-suite to address the flow of data in general and data security in particular.”
Focus on Big Impact Risks to Keep the CFO Engaged
Valerie Rainey, CFO of INTTRA told CFO.com that, “It is the CFO’s responsibility to keep cybersecurity issues top of mind for the executive team, which is always dealing with other ‘fires of the day’. You [the CFO] have to make sure the company doesn’t lose sight of the fact that this very strategic enterprise risk needs to be addressed on an ongoing basis. It’s not like you can put a plan in place and you’re done. Hackers are becoming more sophisticated all the time.”
In other words, the CFO understands, or is beginning to embrace the idea that they have a stake in information security. This reality makes the CFO a good partner for the CISO. But first, CISOs must make certain that they are communicating at the level of the CFO.
When Rainey tells CFO.com that IT executives may not be effective in articulating the impact of business risks, she is repeating a critique that information security executives have heard before. She says the CFO should “focus on risks that have a high likelihood and a big potential impact on the business, whereas IT people will often say that every risk is important.”
To get the CFO’s buy-in, the CISO has to address this concern. CISOs must make sure the risks they identify and prioritize are in-step with the company’s critical business goals. This ensures security can have maximum impact and will help the CFO view CISOs as executive partners, not technical managers.
By committing focus to the risks the CFO has identified, the CISO can gain a high-level executive partner advancing the information security program at the Board level. David Rubin, CohnReznick Risk and Business Advisory National Director is quoted in BOSS Magazine saying that, “CFOs are better equipped to respond to the questions and concerns of their Board of Directors and shareholders”, once they have a “keen understanding that cybersecurity is more than a set of preventive technologies. It is a comprehensive set of methods, policies, and strategies designed to protect major assets.”
Lesson Learned from Finance: Collaborate, Do Not Control
In addition to the shared interest in risk management, there are two other commonalities between the CFO and CISO. The first is organizational. The finance department and the security department are unique in that their programs do not function in silos; by nature finance and security impact all other departments. This means both the CFO and CISO can potentially wield out-sized control over the other departments, which can negatively impact perception and willingness to collaborate. The CFO, of course, has budget control – investment does not happen without the CFO approving it. At the same time, the security department also has the capability to impact productivity, negatively or positively, through security controls.
Araco is speaking about CFOs when he says, “in general we much prefer to collaborate rather than control.” He says, “The finance department is responsible for putting processes and standards in place related to how data is used within the company. In this way, the finance department has an impactful role across all departments. Finance brings structure to organizations.” Does this sound familiar? The CFO’s role is a lot like the CISOs role. There are shared experiences and clear opportunities to align in establishing processes that emphasize collaboration over control.
Lastly, Araco points out that by nature, the CFO and the CISO may be more comfortable with each other as both are likely to be introverted, and more analytical than other members of the C-suite, such as the CEO and head of sales or marketing. While there is no hard data to prove the security professionals and CFOs are introverts by nature, it is true that the CFO appreciates black and white, numbers-focused reporting. While a CISO cannot always show return on investment or impact on profit and loss, the CISO can report on key performance indicators – such as threats detected and remediated. These types of reports, when tied back to risk mitigation can go a long way in proving value to the CFO.