Three Conversation Starters That Advance CISO/CFO Collaboration

The quality and, in some cases, the existence of the CISO/CFO relationship varies by company. In organizations where the CISO role is positioned and promoted as a source of value, CISOs and CFOs tend to collaborate more often and more meaningfully than in companies that treat information security as a cost center (and typically struggle with cybersecurity as a result).

Protiviti’s 2021 Global Finance Trends Survey, our latest global survey of CFOs and finance leaders, provides compelling evidence of the growing strategic importance of CISO/CFO collaborations, particularly those centered on data security — which qualifies as a topmost CFO priority in 2021, continuing a multi-year trend.

CISOs have much to gain from forging and furthering relationships with CFOs and other senior finance executives, and they also have much to offer. These benefits extend beyond addressing information-security funding urgencies to include better measurements of cybersecurity risk and strengthening the information security group’s positioning in the organizational hierarchy.

CISOs initiating and/or deepening the conversation with their finance colleagues should take stock of current CFO and finance group priorities and use these insights to pursue shared interests. CFOs and finance leaders continue to rate two “beyond-finance” activities related to the CISO’s purview as top priorities:

  • Cybersecurity: Data security and privacy continues to qualify as the top priority for CFOs and finance leaders. Top-performing finance groups operate as integral enablers of organizational cybersecurity. They focus their finance expertise on how data security and privacy spending is benchmarked, how those investments are allocated, and how cyber risks are quantified in dollar amounts and articulated in business terms. CFOs are refining their calculations of cyber risk while benchmarking their organization’s data security and privacy spending and allocations. Leading CFOs also are increasingly engaged with how the organization identifies and monitors third-party cybersecurity risks.
  • Data governance: Finance groups are overhauling forecasting and planning processes to integrate new data inputs from new sources so that the insights finance produces are more real-time in nature and relevant to more finance customers inside and outside the organization. More of the data used to generate forward-looking business insights is sourced from producers outside of the finance group and the organization. CFOs recognize that many of these data producers lack expertise to adequately manage disclosure controls and therefore may benefit from clear and non-technical guidance.

CISOs can lend their valuable expertise to CFOs working on those priorities. Similarly, the CFO’s control mindset, risk management expertise and strategic positioning in the organization can prove valuable to CISOs, who should look for opportunities to discuss the following topics with finance leaders:

  1. Information security investments: As CFOs evaluate potential cybersecurity investments, CISOs who are more familiar with information security tools and the existing technology environment can validate that the budget is appropriate. New tools often need to be integrated with existing platforms and applications, and those costs are often overlooked. Plus, outside consulting and internal training can help optimize investments in cybersecurity tools. The CISO’s input on these matters can equip CFOs with a more effective and comprehensive understanding of potential investments in cybersecurity improvements.
  2. Quantifications of cybersecurity risk: The CFO’s bottom-line mindset is well suited to quantify cyber risks; accurate measurements of those risks can help strengthen the CISO’s hand when requesting cybersecurity control funding. Information security professionals who rely on outdated red-yellow-green risk ratings should consider working with their finance groups to develop more precise measures of the financial impact of cyber incidents. Leading cyber risk quantification approaches rely on existing models and probabilistic simulation methods to pinpoint the cyber risks confronting an organization.
  3. The information security program’s positioning in the organization: How and where the CISO and information security group are positioned in the organization has a direct and significant impact on the efficacy of an organization’s cybersecurity capability. CISOs of programs buried beneath several layers of IT leadership may have limited access to the CFO, compared to CISOs who report directly to the CIO and participate in, or even lead, presentations to the board of directors. Given the critical importance of data security to the CFO’s agenda, top finance executives should recognize and, when needed, reconsider the CISO’s positioning in the organizational hierarchy.

In addition to these topics, CISOs can also routinely discuss with CFOs all cybersecurity considerations in the context of business risks and, in a growing number of instances, how to sharpen their presentations to board members. Articulating information security risks in quantifiable business terms is a good place to begin any conversation.

Interested in learning more? Further insights and our full report, Security, Data, Analytics, Automation, Flexible Work Models and ESG Define Finance Priorities, are available here.