EP 112: How to Work With CFOs on Cyber Risk Management
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
August 16, 2022
You’re going to need the CFO’s support to be successful managing cybersecurity. Why? If for no other reason than the CFO controls the purse strings! So how do you do it? Let’s find out with your host Kip Boyle, vCISO with Cyber Risk Opportunities.
Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle Virtual Chief information Security Officer at Cyber Risk Opportunities and Jake Bernstein partner at the law firm of K&L Gates, visit them at cr-map.com and klgates.com.
Kip Boyle: Well, Jake's not available today to help me make episode 112 of the Cyber Risk Management podcast. So it's just you and me this time. And since I get to pick the topic all by myself, today, we're going to talk about how you should work with the chief financial officer when you're doing cyber risk management. All right. So why the CFO? Well, in my experience, you are going to need the CFO's support to be successful. Even if you never speak directly with the CFO, someone will put your spending requests in front of them to be considered. And that's because, just like Congress, the CFO controls the purse strings in your organization. And it can be a situation where even if this CEO says, "Yes, Kip, I want to do what you're suggesting." The CFO can still veto it if you haven't done a good enough job, making the business case that your spend is a justified use of the organization's money.
And, from the CFO's perspective, they see things differently. They see multiple competing proposals to spend money. And let me give you an idea of what they're seeing. All right? So let's say you want to spend $25,000 to deploy a password manager to the organization. Well, you put in your budget request and at the same time, the CFO is getting a budget request from sales and they want to use $25,000 to incentivize their sales team to increase top line revenue. And at the same time, the marketing department wants $25,000 because they want to completely refresh the website. All right, so the CFO is looking at this and trying to figure out what's the best use of this money. Now, sometimes everybody can get what they're asking for and sometimes they can't. And when push comes to shove, a CFO is going to lean towards allocating the money to spending requests that they can understand the business value that is going to be created.
So that's your challenge, is to make sense to the CFO so that they are more likely to understand what it is that you are requesting and hopefully approve it. All right. So what do CFOs want to know about cyber risk management, I think is a natural next question you would ask me. Well, the answer is almost nothing. They don't want to know anything about it, really, which creates a paradox. All right. So why do they not want to know anything when I just told you that the better they can understand your spending requests, the better off you are going to be. Puts you in a bind, doesn't it? Well, I'm going to answer that question by telling you a story about carpet diamonds and cyber security, and it all goes together and you'll find out in just a moment.
So sometime last year, I was talking to one of my customers who is a CFO, and he said that he was glad we were working together, which was a great thing for me to hear, really enjoyed that. And I asked him "Why?" Was there something particularly in his mind that was causing him to say that? And he said, "Well." He said, "Kip, I don't really want to know about cybersecurity anymore than I wanted to know about carpets and diamonds." And I said, "All right, you're going to have to keep talking because so far you're making no sense to me." And then he said, "Well, in my personal life, I've had to make some big purchasing decisions and carpet, diamonds, other things, I've felt because I didn't know much about them. I had to learn something about them in order to make a good decision and to avoid a false start in my personal finances or just to spend more than I really needed to."
And what he said to me was, he's like, "But I really didn't want to know that. I only did it out of fear and self preservation." And he felt that cybersecurity and cyber risk management was a very similar scenario that he was facing that, this is something he didn't understand. He knew he was going to have to spend money on it, but he didn't want to become a cybersecurity expert just to avoid making a big purchasing mistake. He wanted to stay to his core competency, right, which was areas of finance and accounting and so forth, right? Making a business successful. And I think what he was really trying to say to me was that he trusted me to guide his decision making about spending on cybersecurity and cyber risk management. So there you go. Just remember carpets and diamonds, when you think of CFOs and how you want to relieve them of the burden of having to learn too much about cybersecurity, but you know what? They're going to have to learn something, even though they don't want to.
And so, it's your job to talk with your CFOs about cyber risk management and do it in a way that encourages them to become a little bit more of an expert than maybe they would've chosen on their own. You've got to get this conversation going. So now what I want to do is, I want to spend some time helping you think about how should you talk to CFOs about cybersecurity and cyber risk management? How do you create that conversation? And if you're listening to me and you are a CFO, or maybe you report to a CFO and you'd like to be a CFO one day, you're probably wondering, "Well, how should I speak to the cybersecurity leader about cyber risk management?" Okay. So I think both listeners can get some use out of the rest of the material that I'd like to share with you.
So I want to start by covering three typical questions that a CFO will probably ask their chief information security officer. And these tend to be very difficult, by the way, to answer. I've had to face these before. So I'm going to tell you each question, and then I'm going to give you a suggestion for how you should answer it. You might want to just use my suggestion as a starting point, or, I give you full permission to write it down on a card or in a note on your mobile phone and just read it verbatim if you want. Whatever works for you. All right.
So here's the first question that you might get from a CFO, or if you're a CFO that you might ask your cybersecurity leader. "Hey, Kip, how secure are we as an organization right now? How secure are we as an organization right now?" Think about how you would answer that. It's really difficult, right? You're probably thinking about all kinds of different metrics and measures. You're probably thinking about all the different places where you need to do cyber risk management. Here's what I suggest. You might say something like this. "Well, we've identified our most valuable digital assets and we've protected them as best as we can, given the resources that are available to us. And also based on what we know about the cyber threats that are against us as of today." That's it. That's all I would say. I would then be quiet and then I would wait for a follow up question. Now it's very likely, you're going to be asked to provide an example. So I suggest you have one or two examples in your back pocket, ready to go. Think about valuable digital assets and how you've protected them.
It could be as simple as saying, "Well, a big threat right now is business email compromise. So we've worked with the accounts payable team to educate them on how this kind of attack works. And we have written, and you'll soon see, a proposed standard operating procedure to implement a two person approval process for any... Not file transfer, but funds transfer requests that come in over email under certain circumstances." So that I hope would be a good example. What I like about that example is, you're not just talking ones and zeros. You're not just talking about technology. You're talking about people, you're talking about process and you're talking about money, hard dollars and cents or euros or pounds, or whatever currency you're working with.
Another thing that you should consider doing. And by the way, I never did this in my first years, working with CFOs and why not? I don't know. It just seemed so trivial to me, but I've had my eyes opened since then. So if the suggestion that I'm about to give you seems trivial to you, I just want you to stop and try to use some empathy and put yourself in the CFO's position. So what I would do is, I would go to the firewall and I would go to the email filtering logs, and I would run some reports. And I would determine how many blocked attacks there have been in the last 24 hours. So for a firewall, that's going to be dropped packets, severed connections, and so forth. And the email filtering is going to be, percentage of spam filtered out and phishing attacks. Anything that your email filtering took care of, so that a real human being didn't have to and share that information.
Now, the reason why I felt that this is trivial is because it was such an automated sort of thing that I didn't have to break a sweat to do it. And it felt a little deceptive, but it's really not, because you're not trying to point out how hard you work per se, you're just trying to make sure that the CFO understands that this organization is under constant attack, 24/7. And some of those attacks are just designed to learn more about the organization so a much bigger attack can take place. But nonetheless, there are attacks going on all the time. And most CFOs have no idea about this because you've done too good of a job of making it invisible. Okay. So that's the first question.
So the second question, that's really common that you'll probably get from a CFO is, how do I know we're getting the biggest bang for our buck, with the money that we spend on cybersecurity? How do I know we're getting the biggest bang for our buck, with the money we spend on cybersecurity? What they're really concerned about is waste and they're concerned about business value. They want to know that you are a thoughtful person and that you think about, that the money that you spend is creating the most business value possible.
Now, to answer this question, I would encourage you to build on the answer that you already gave to question number one, because you've already talked about the fact that you do risk mitigation with respect to the most valuable digital assets. And so right away, you're actually already talking about how you're being very responsible with the budget that you get allocated. You're not just spending it on anything. You're focusing on the biggest digital assets, but you probably want to go further and you want to say that, "We always look for the way to manage risk down to an acceptable level, using the minimum viable mitigation approach. The most minimum viable mitigation approach that we can find."
So what this means is that, if you're trying to deal with a cyber risk and you can't avoid it, you can't transfer it and it's just too big to accept, then you figure out how to achieve a meaningful risk reduction at the minimum cost while putting the least burden on the productivity of your business. And don't say this unless this is what you do, or don't say this unless you're committed to start doing this. But if this is really the way you operate, this is a great answer to give. It makes sense to a CFO and really, this is what you should be doing if you're not already. Now, maybe you've got a different approach and you believe that it's at least as good as the one that I've described. And maybe you even have a better one. Fantastic. Use that answer. No problem.
But a lot of people don't even know how to begin to answer this question. So I wanted to provide you with some with at least one good idea that I've used and that I know can work. All right. So I said, there's three questions. So what's the third question that you're likely to get asked by a CFO. Here it is. So what are the risks and potential costs of not implementing this cyber control right here? Whatever one they're pointing to. What are the risks and potential costs of not implementing a cyber control? All right, this is a weird question to answer because what they're trying to get you to do is to measure return on investment., if something doesn't happen, right?
So like, "Hey, if this attack never takes place, then why should we spend the money?" Is another form of this question. But specifically this question is, "Hey, what if we just accept the risk and we don't spend any money on this?" This can be tough, but I have found something that I think is really useful because the answer that the CFO is looking for here is probably one that would be expressed in dollars and cents, right? Because they want to know what are the risks and costs of not implementing a particular control. So where I want you to go to look this up is the Center for Internet Security has a webpage with a very nice tutorial on there for calculating risk reduction return on investment ROI.
And I'm going to put the URL to this page in the show notes. I'm not going to unpack this formula on the episode today. It could be a whole episode all by itself. And I don't want to go there, but if you'd like me and Jake to do an episode on this calculating risk reduction ROI formula, we'd be happy to do it. Just send me a note and let me know that you're interested. But anyway, I'll get the URL into the show notes for you and you really need to thank Jake because he's got me into the habit of doing this. I think it's a good habit. I don't know. I just struggled with it in the past, but, but, but I'm all good now.
Okay. So those are the top three answers that you can expect to get from a CFO or from somebody who is speaking on behalf of the CFO. But remember, I told you that you still want the CFO to learn a little bit about your cybersecurity program. And now what I want to do is, I want to explain to you how I do that and you're welcome to borrow any or all of what I'm about to share with you in case you don't already have an approach. All right.
So here's how you do it. First of all, I want you to pretend that you're the chief financial officer of your organization and again, if you're already the CFO or if you're on a career track to become a CFO, then I want you to just play along with this. All right? This is a little thought exercise. All right. So you are the CFO and you're looking at your company's budget for next year, right? You're sitting at your desk, you got the spreadsheet open. You're all alone. You're completely zoned in on the budget for next year. And you're looking down the rows and you see the cybersecurity number and it's really big. And in fact, you know that it's bigger than last year because you just looked at last year's number.
And you're pretty sure it's bigger than the year before that. So this thing, it feels like this line item in the budget is just going out of control. Now, what's making you feel uncomfortable is, you have no idea what you're getting for all this money that's being spent. And so you ask yourself, "Man, do we really need to spend all this money on cybersecurity?" Because you know that there are so many other ways you could use this money to grow your business. You could try to increase top line revenue. You can try to decrease costs. There's so many other things that genuinely make sense to you. But you know there just isn't an alternative to doing this. You don't know what it is. And there probably isn't and to make matters even worse, you don't even know how to talk about it with your cybersecurity leader, because you don't understand a word that person says most of the time, right? And so, you don't even want to go there.
So you take a deep breath and with reluctance, you accept the spend. You approve it and you get on with your day. All right? So later on you go home, you eat your dinner, you try to relax. And that night, you have a really vivid dream. And in your dream, you buy this really fast new car. And I want you to think about which car you'd get. Would you get a BMW M3, maybe a Jaguar or a Porsche. I don't know, whatever you've got your eye on. Just picture that in your mind right now. You're sitting behind the wheel and you start it up. It makes just the noise you expect it to. And you pull away from the curb and you start getting the car up to speed. And there's no one around, you can go as fast as you want.
And for some reason you wonder how fast could you stop this car? And so you glance down towards your feet and you realize there's no brake pedal and there's no emergency brake. There's no other break of any kind. And there's no way that you can tell, to stop this car except to let your foot up off the accelerator and wait for the car to roll to a stop. Okay. This is in your dream, right? So you're in shock because you're driving really fast. You thought you had brakes, you don't and okay. So you wake up, right? Because you're completely freaked out that you ever got into this car. So, all right. So, I want to ask you a question. In real life, how fast would you dare to drive a car like this? A very fast car that had no brakes, or would you even try to drive it at all? I mean, just think about that.
It's silly. Isn't it? A car with no brakes, especially a high performance car with no brakes, but I want you to see what's going on here. And what I want you to recognize is that when you want to go fast, brakes don't slow you down. They're the one thing that makes you feel confident enough to drive as fast as you want. This is really cool, right? You can quickly take lots of risk by just standing on that accelerator. And then you can evaporate that risk at any moment, just by stepping on the brake pedal. And here's the thing, this is why I'm telling you this story. Sometimes, the thing that helps us slow down is actually there to help us go faster. So, even though a lot of people think cybersecurity's only job in life is to make everything go slow, there's a paradox. Here is it actually is letting you to go faster.
And this is important because today and in the foreseeable future, cyber risk is going to grow and it's got to be managed. And that means we have to spend money on it. And why is it growing? Because cyber criminals and cyber soldiers are constantly evolving their attacks. And you know that if you've listened to this podcast for even just a few episodes and then of course, we always have to evolve our defenses. And unfortunately, we have to do that without the help of our military, law enforcement, judiciary, legislative bodies. And the reason for that is because they're outgun too, just like we are. They have no idea really, how to solve this problem.
Okay. But I don't want you to get too annoyed by all this cyber risk. It is difficult to control, but it's also a fantastic opportunity for your business. That's why the name of my business is Cyber Risk Opportunities because I want people to realize that risk, especially cyber risk, isn't all downside. That if you can slow down to go fast, you'll find that there are some great opportunities here. So I want to give you a couple of examples, all right? Of things that we are already doing, all of us are already doing so that we can slow down to go fast. Okay.
How would you know which emails were important for you to read without a spam filter? Could you imagine having to manually sort through all your email, just to find the one in a hundred or the one in a thousand or the one in million that you really need to read? Wouldn't that be awful? And how would you keep unwanted people from seeing your sensitive data without password protected user accounts? If there's anybody here who remembers a day when we never used computer accounts, named accounts with passwords, we just turned on the computer and got busy. You'll know what I'm talking about. Today, by comparison, it feels very slow to log onto our computer, to log onto a website. But without that protection, how could you know that your sensitive data was protected? So you've got to slow down to go fast in cybersecurity. And this is really the key insight that I want you to share with your CFO.
Now, I want to give you a specific example of a minimum viable cyber risk mitigation that provides financial returns. And this doesn't come around normally. Spending on cyber security, doesn't typically provide financial returns. It can provide all kinds of other business value, right? It can provide you with technical risk reduction. It can provide you with legal risk reduction. It can provide you with increased operational reliability, for example, but financial returns, not that common, but I want to share one example with you. So normally, you would think of a new control at the desktop level as a productivity killer, but think about a password manager. It can actually increase your productivity and it can enhance your security at the same time.
So security is increased because your password manager will make you a strong, unique password for every website that you use, so you don't have to sit there and think about it. And the password manager is going to increase your workforce's productivity because now they only have to remember a single password. And hopefully that's a passphrase. And if they can just remember that one, then their password manager will automatically enter all the credentials that they need to use every day, saving them a lot of keystrokes and a lot of errors. Inevitably, we type our passwords wrong. We have to do it again.
So hope you can see there's some real value here, right? There's some real productivity given the fact that we need to use passwords and passphrases all the time. Now there's a speed bump when you roll out a password manager, isn't there, right? You're changing the way people work, but that's okay. I want you to feel okay about that because you're slowing down to go fast, right? This is a very useful way to think about this. And I want you to share this with your CFOs. I'm going to give you one more example, and this is a sales enablement example. All right.
So what I'm noticing is I work with my customers, is that data security and privacy is becoming a negotiation point. And for many people, it has long been a negotiation point in the sales process. And man, if it's not data security and data privacy, then it's system security. All right. And I want to tell you about a business to business company that we work with. It sells its software to big insurance companies. And these buyers are very concerned about third party cyber risk. And in the era of GDPR, in the EU and increased data privacy laws in the United States and elsewhere, the privacy of the insurance policy holders is a very high priority for these companies. And they have a good reason to be concerned about it because we know from the data that outsourcing has resulted in a lot of data breaches.
So our customer, CROs customers' constantly negotiating data security addenda and also completing these crazy detailed questionnaires about their cybersecurity program. Sometimes 300 extremely detailed questionnaires, but it's okay because they learned how to slow down to go fast. And the cybersecurity team at our customer, has shortened their company's sales cycle. And we're a part of that, right? And by our calculation, we've been able to reduce their pre-sales effort on cyber security by about 80%. And this has let them close profitable deals sooner about 30 days faster per customer. And this has been so successful that the cybersecurity team is now viewed, not as overhead, not as an unfortunate required budget item, but as sales enablement. They're bringing in revenue not directly, but they're helping. They're making a big difference. And they're also doing that while they're managing their cyber risk.
So, that's a ton of business value, even if they were just doing sales enablement, that would be a lot of business value, but to do sales enablement and manage cyber risks at the same time, is even better. And we help our customers do this all the time. We often will create for them what we call a cyber risk management action plan. I think I may have mentioned this to you before, but your cyber security budgets are going to continue to grow year over year. And the question really here, with respect to a CFO is, whether they'll continue to see cybersecurity as just a cost of doing business, or are you as the cybersecurity leader, are you going to figure out a way to slow down so you can go fast and share that? Share the benefits of slowing down to go fast with the rest of your company.
My vision for you is that you're able to do this. And I hope that what I've shared with you today is going to help you. And with that, I'm going to wrap up this episode of the cyber risk management podcast. Today, I shared with you some tips for working with your chief financial officer and Jake will be back and we'll see you next time.
Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cyber security hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities