Content area

Full Text

Every chief security executive knows that one of the most important—and perhaps challenging—aspects of the job is getting the funding needed to support the cybersecurity program. The person handing the decision making on budgeting is often the CFO, so CISOs would be wise to learn the best ways to interact with these finance professionals.

“The CFO/treasurer-CISO relationship is critical in understanding how the [organization] measures success, which helps with how best to measure and communicate the cyber threats it faces,” says Arthur Treichel, CISO for the State of Maryland.

Here are some best practices for CISOs when working with the CFO in their organization.

Speak the CFO’s language

CISOs like to use metrics that relate to cybersecurity activity, says Frank Dickson, Security & Trust program vice president at research firm International Data Corp. (IDC). This includes metrics such as the number of alerts addressed, mean time to respond, mean time to remediate, and dwell time.

These are concepts finance chiefs are not likely to be interested in, so there is little point in bringing them up in discussions with these executives. “CFOs are looking for metrics associated with risk and security posture,” Dickson says. “Essentially, CFOs want to know if the organization is ‘safe.’ Communicating security activity information frustrates CFOs, as it does not provide the information that they desire.”

A good practice is for the CISO and CFO to sit down and establish a set of metrics that communicate the needed information, Dickson says. “This does not mean that the CISO teaches the CFO all about cybersecurity,” he says. “It means that a CISO changes the manner in which he or she communicates.”

For security executives, talking to the CFO “can sometimes feel like a challenge,” says Andy Ellis, operating partner at venture capital firm YL Ventures and a former CSO. “The CFO seems to rule over a domain that is entirely about recording hard, factual data. The CISO, on the other hand, is often talking about risk in nebulous, vague terms.”

Leverage data-rich economic models to...

Show less