[BreachExchange] CFOs and CISOs have an opportunity to collaborate

Destry Winant destry at riskbasedsecurity.com
Fri Oct 4 01:26:34 EDT 2019


https://www.smartbrief.com/original/2019/10/cfos-and-cisos-have-opportunity-collaborate

CISO-CFO collaboration is on the rise as companies invest heavily in
privacy and security protections, strive for infosec compliance and
scrutinize profitability of any and all technology investments. In
fact, survey data from Robert Half show that 82% of chief financial
officers have increased how much they work with information chiefs
compared with three years ago.

“They are both trying to accomplish the same things: prevent business
losses due to a loss of confidentiality, integrity or availability of
the business-critical technical services and data of the
organization,” says Christopher Gerg, chief information security
officer and vice president of cyberrisk management at Madison,
Wis.-based Gillware. “With an agreed-upon roadmap for the information
security program, and through that all of IT and the business,
expenditures can be planned and expected outcomes monitored.”

How to improve CISO-CFO collaboration

“It comes down to relationships and communication,” says Jack
McCullough, president of the CFO Leadership Council. “Don’t make
decisions in a vacuum.”

That means engaging the CFO in your strategic decision-making and
offering your counsel to them.

- Establish common ground. Too many executives look at the CISO as a
cost center with “some cryptic agenda that itself was not trusted and
needed to be closely managed,” Gerg says. It comes down to the CISO
building trust with the other executives. To do that, he says, “Make
the case that the [you both] have similar challenges,” such as: audit
and compliance obligations, the need to prioritize spending or effort
based on risks to the organization, limited resources to address
risks, and the need to express proposals to other executives and the
board in a way that they will be able to understand and internalize.
- Ask for an assist. Everyone likes being seen as an expert. Ask the
CFO to help you convey the technical risks in terms of cost or
potential losses to the organization, or to quantify the potential
return on infosec decisions.
Coordinate on security and compliance. As the other person in the
company concerned with compliance and risk mitigation, the CFO can
help you develop a risk-based justification for cybersecurity training
and technology to protect against ransomware and wire transfer fraud.
“Both of these mechanisms can be largely addressed through user
awareness training. Relating the investment to real risks makes this
investment an easy ‘sell,’” Gerg notes. The CFO can even help you make
a tangible business case for intangibles associated with a
cyberattack. “This is critical not only because you don’t want your
data stolen, but it exposes the company to so much more: privacy
lawsuits, loss of customers, reputational risk,” McCullough says.
- Grow your influence. By working together with the CFO to create an
enterprise risk profile that includes the technical and financial
risks to the organization, you raise your profiles and increase your
respective influence. An enterprise view supports risk-based
decision-making that covers a broader range of threats to the entire
organization.

“Ultimately, since reducing risks and maximizing return on any
investments is the goal of both the CISO and CFO,” Gerg concludes,
“collaboration is a must.”


More information about the BreachExchange mailing list