BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Reduce Your Cyber Risk: How To Ask Your CFO For The Money To Protect Your Organization

Forbes Finance Council

Chief financial officer for Proofpoint, Inc.

When it comes to reducing cyber risk, CFOs must carefully balance their organizational exposure with total spend. That challenge is readily apparent when assessing security spending and regulatory and compliance environments. As 2020 and 2021 have shown, increased security risks when working remote pose added challenges for chief information security officers (CISOs) and security leads as they advocate for essential expenditures with their CFOs.

Understanding Your CFO

The best way to ask your CFO for money is to put yourself in your CFO’s shoes. What are their main concerns? What are they primarily tasked with, and how does security balance that equation? Not all CFOs are alike, but there are some basic truths about the job, as well as concerns all CFOs share.

First and foremost, a CFO’s primary focus is on the company’s financial performance and its ongoing success. The role also oversees the finance organization and pushes key projects to ensure growth. For publicly traded companies, CFOs undertake significant obligations to ensure the organization operates in a manner that meets critical standards, including regulatory compliance.

CFOs don’t have unlimited budgets, so they must continually stress efficiency and return on investment (ROI). I’ve been on the front lines of the cybersecurity industry for over a decade, and I have experienced firsthand the issue that security spending must increase to meet growing threats from cybercriminals intent on attacking your people and organization. As a CISO, you need to be prepared to answer four critical questions when making budget requests and explaining security ROI, remembering that while your asks are important, you are only one ask across the organization.

Four Questions To Make Your Security Budget Case

There are many security vendors and solutions on the market, and your CFO will be expecting the business case behind any request for additional budget.

Be prepared to answer these questions:

1. What risk are we trying to address?

2. What other capabilities are already in place to address this risk?

3. Why can’t we solve this with what we already have?

4. And, if the current security solution fails to address the problem, be armed to quantify the risk of not solving the issue. Be prepared to answer: How much would this cost if we didn’t act?

The consequences of inaction may be financial, reputational or security-related, and you will need to underscore that spending on appropriate security will prove cost-effective in the long run. The loss of data or intellectual property in the event of a compromise will raise trust issues with your customers as it relates to the company’s ability to ensure the protection of critical information. Pointing to a competitor who has experienced a similar security event may also be helpful. 

Explaining Security ROI

Assessing risk is part art and part science, and most organizations have long struggled with the mix. To measure the impact of cybersecurity on the bottom line, risk must first be determined and then quantified. Many organizations use qualitative risk measurements, meaning they use low-, medium- and high-likelihood assessments rather than overly layered analyses.

It is key to remind your CFO that threat actors are constantly adjusting attack methods and rethinking how they’re going to attack a company. Explain the attacker’s mindset and then discuss protection.

While no two organizations are exactly alike, there are some assets threat actors typically target:

• Cash balances: Risks include email fraud and impersonation attacks.

• Payroll: Risks include identity theft, fake invoicing, credential theft and phishing.

• Commerce stream: Risks include intellectual property theft, identity theft, email fraud, phishing and user-credential theft.

• Confidential customer data: Risks span Social Security numbers, credit cards and other personal information.

Make sure your CFO understands the current attack vectors and methods that pose the most risk. Which employees and job titles are most frequently targeted? CFOs are often attacked, but so are compliance officers, as anyone with access to sensitive data makes for a rich target. Identify those individuals and assign potential attack vectors with qualitative risk measurements.

At Proofpoint, we distinguish between very important people (VIPs) and very attacked people (VAPs), as traditional VIPs within an organization are not necessarily cybercriminal targets. When someone approaches me about a new security capability or vendor, the first question I ask is: Who will this protect, and is that a high, medium or low attack vector? I also ask for neutral, third-party data and whether the new capability or vendor has a security evaluation that demonstrates effectiveness. With that data in hand, I attempt to understand how effective the proposal will be at protecting the VAPs.

I also recommend stressing any automation as part of your security budget proposal. CFOs want to deliver savings to the company’s bottom line while scaling the business, so modern tools and technology can be more cost-effective than hiring additional employees.

A Quick Recap

Remember, CFOs want to spend limited funds in the most efficient way possible, and they depend on you to keep the organization safe, reduce risk and ensure compliance. When pitching a new security solution, be prepared to answer the above four questions by scoping the problem, prioritizing vulnerabilities and conducting a risk assessment that examines what costs the organization could incur if the problems are not addressed. If you do that successfully, you may find your CFO is more of a partner to you than you might have thought.


Forbes Finance Council is an invitation-only organization for executives in successful accounting, financial planning and wealth management firms. Do I qualify?


Follow me on LinkedInCheck out my website