Cybersecurity teams cannot operate in a vacuum. This goes for most technical work that we do, but it also rings true for the way we manage risk across an organization. The finance and legal teams play a significant role in most organizations in the way that risk is thought about and subsequently managed.
Chief Information Security Officers have a tremendous opportunity in collaborating with their finance executive peer, the Chief Financial Officer. This article will explore ways in which a CISO can effectively engage a CFO, to not only bring value back to security but also contribute value.
Language of Risk
One of the challenges that cybersecurity TAs frequently experience is the way risk is described and analyzed. I touched on this a little bit here, but our industry has a tendency to rely on high, medium, and low-risk labels. The problem is that this approach is totally subjective. There is also no way to understand whether 10 mediums are worse than or better than one high. What about vulnerability chaining? These subjective labels do not serve us when we are communicating with other teams.
In recent years, there has been a lot of good work done around quantitative risk modeling, using standards like FAIR and related Bayesian modeling. It is produced from similar likelihood and impact measures but expressed differently. This work then produces expected losses represented in financial terms.
In my opinion, one of the big benefits of this approach is the ability to rationalize the difference between different scenarios like the one I expressed above with clusters of vulnerabilities (or loss events).
Key Questions
A CFO’s role may differ depending on the organization, but the commonalities in the role lead to questions that a CISO can help answer. Helping another team answer essential questions is foundational to providing value. When a security team is providing value they aren’t operating purely as a cost center within the organization.
As a team, seek out insights on the following areas:
- How might key investments be made today or planned for the future be at risk from cybersecurity-related threats?
- Is cybersecurity inhibiting the organization’s growth strategy? Is this driven by internal (self-inflicted) friction or external threats or a combination of the two?
- Are technology teams able to provide timely, complete, and accurate data?
- Are the organization’s core assets or value streams at risk?
- Have we established the right relationships and procedures internally to collaborate in the event of a data breach or security incident?
The above questions are by no means exhaustive or meant to encapsulate all the areas in that a CISO might be able to help a CFO. They should, however, serve as a useful starting point for discussion and value creation.
Providing Value
As a CISO, I am constantly seeking opportunities to identify areas where my team and I can provide value to others. A relationship that is one-sided likely won’t last long or be fruitful. Asking questions to learn about goals, pain points, risks, and opportunities will be invaluable insight. Proactively seeking to contribute to the problems that others are facing also creates value.
Responding to problems and feedback that cybersecurity contributes to in a positive and constructive way, leads to opportunities to create value instead of putting up walls. Throughout my own career, I’ve observed countless defensive interactions when cybersecurity teams are confronted as being hard-nosed or getting in the way and it never ended well.
Concluding Thoughts
Risk management is a big part of the CISO role, but it’s not the only role within an organization that thinks deeply about risk. Partnership opportunities with finance, legal, Human Resources, and business development are tremendous opportunities to manage risk at a greater scale across the organization and enrich the work happening within the cybersecurity team.
The CFO in particular is in one of the most influential positions when it comes to risk, given organizational assets so often tie back to financial means. As a CISO, don’t ignore this relationship.
Want more cybersecurity insights? Visit the Cybersecurity channel:
