How to Enlist the CFO as a Cybersecurity Budget Ally

One of the most enduring cybersecurity challenges is procuring funding to adequately defend an organization against an ever-growing growing array of cyberthreats. Indeed, 66% of respondents to Mimecast’s State of Email Security 2023 report said their organizations’ cybersecurity budgets are less than they should be — roughly the same percentage as the prior year.

The CFO usually leads a company’s budgeting process and, particularly during times of economic pressure, will be looking at all investments with greater scrutiny. That’s why a strong relationship between the leaders of cybersecurity and finance is so important.

CFOs certainly don’t want to expose their organizations to increased cyber risk. But in the absence of regular information sharing, collaboration, and trust between the CFO and CISO (or equivalent security leader), that’s exactly what can happen. A finance leader with no knowledge of the penetrable nature of leading cloud-based email and collaboration platforms might doubt the value of third-party protections. A CFO in an organization that hasn’t suffered a significant breach may want to scale back or scrap the cybersecurity awareness training program. 

On the flip side, unchecked cybersecurity spending is not the goal, either. CISOs should welcome the rigor that emerges from financial scrutiny because it can help them identify opportunities for their organizations to make smarter cybersecurity investments. But even — and especially — during times of economic uncertainty, it’s crucial to put in place cybersecurity resources in terms of people, processes, and technology that truly align with a company’s risk profile. 

For all these reasons, forging an ongoing partnership between cybersecurity and finance benefits both business functions — and the organization as a whole.

5 Ways to Build a Productive Relationship with the CFO

Building productive relationships almost always begins with finding common ground. Chief among the concerns that cybersecurity and finance share in common is their mutual interest in mitigating enterprise risk. Recognizing that shared goal, cybersecurity leaders can benefit most by approaching their counterparts in finance as allies in cybersecurity budgeting. Following are five actions that CISOs can use to foster a stronger cybersecurity partnership with finance. 

1. Speak the CFO’s language: Most finance leaders aren’t going to want to learn the nuances about metrics like dwell time, number of alerts addressed, or mean time to remediate. Communicating at that level of detail often leads to frustration. It’s far better to explain information security risks, protections, and remediation in business terms.

Security leaders can look to risk-based frameworks, such as the Factor Analysis of Information Risk (FAIR) model, for guidance.[1] FAIR offers a method to understand, measure, and analyze risk in terms the CFO cares about: dollars and cents. It draws a clear line that connects cyber risk and operational risk. And the framework, which helps organizations quantify risk based on the actual and predicted frequency and impact of cybersecurity events, can deliver the kind of clarity and precision CFOs prefer. 

2. Communicate regularly: Waiting until the height of budget season to approach the CFO is a recipe for funding failure. The best relationships grow out of frequent interaction. MongoDB CFO Michael Gordon told CFO.com that he meets weekly with his CISO and her team about cybersecurity initiatives and trends as well as business performance overall. “There is no substitute for regular communication,” he said.[2] 

There’s nothing CFOs hate more than surprises. Regular check-ins give the CISO and CFO the opportunity to share insights, concerns, and progress. The finance leader can provide financial and budgeting updates and the CISO can inform he CFO about new standards, tools, or threats. 

The more frequent these check-ins are, the briefer they should be. But there will be instances when a security leader needs to go deeper to educate the finance leader on an issue pertinent to cyber risk or funding. A new CISO who discovers the organization has relied on cyber insurance as its primary cyber defense mechanism will want to update the CFO on the seismic shifts in premiums and coverage, for example. Or a security leader may want to hold a brief session on rising cybersecurity salaries.

3. Co-create the budget: CISOs who understand the budgeting process that CFOs oversee are ahead of the game. Smart CISOs, armed with that understanding, go a step further to collaborate with the CFO on their budgets. 

The CISO of a mortgage service provider, for example, explained to Mimecast that he treats his CFO as a fiscal ally who helps him secure investments from the board for cybersecurity tools, talent, and awareness training. The CISO meets with his company’s CFO quarterly to review the cybersecurity budget and talk through any new funding requests. Together, they prepare a deck that the CFO presents to the board, including a three-year workout on key cybersecurity expenditures and their anticipated returns. The CISO has been able to increase investments in tools and staffing, including bringing on a cloud architect to bolster security for the organization’s multicloud environment. 

4. Enlist support. It can be very beneficial to enlist the aid of others in the organization with shared interests to bolster the case for greater funding or to uncover untapped resources. Colleagues in IT, or in the risk and compliance organizations, may have cybersecurity interests and budgets that align with the CISO’s. Looking for overlaps or redundancies can free up additional budget for new cyber spending. Or there may be opportunities to develop cybersecurity budgets as a group.

Security leaders should also maintain good relations and regular communication with the board of directors’ risk committee to keep committee members apprised of the evolving threat landscape and the protections that are in place. That way, the risk committee can play an important role in CISO-CFO relations. For example, if the CFO requests budget reductions that could take the company beyond its established risk tolerance levels, the risk committee will have enough information to make an independent assessment — and, if necessary, push back.[3]

5. Demonstrate your returns: At a minimum, security leaders must demonstrate fiscal responsibility to develop a trusted partnership with the CFO. Negotiating lower vendor prices and spending budget wisely is never a bad idea. But CISOs can truly elevate their stature with the finance leader by connecting the dots between cybersecurity investments and top-line benefits. 

The vast majority (86%) of respondents to Deloitte’s 2023 Global Future of Cyber Survey said that cyber initiatives had made a significant, positive contribution to at least one key business priority.[4] The more the CFO can see cybersecurity as a revenue driver versus a cost center, the better positioned the CISO is to secure future funding. CISOs may make the case, for example, that a stronger cybersecurity posture can attract more customers, accelerate a sale cycle, reduce operating costs, or increase uptime.

The Bottom Line 

Building an ongoing, collaborative relationship with the CFO can take some time, but the returns are well worth the investment. While partnering with the CFO won’t yield an unlimited budget (or even get a CISO everything on the cyber wish list), it ensures that the board and C-suite will get the best information with which to make cybersecurity funding decisions. Read more about the state of cybersecurity budgets in Mimecast’s State of Email Security 2023 report. 

[1] “Learn FAIR,” FAIR Institute

[2] “How CFOs and CISOs Can Build Strong Partnerships,” CFO.com

[3] “How CISOs Can Work With the CFO to Get the Best Security Budget,” DarkReading

[4] “2023 Global Future of Cyber Survey,” Deloitte