Let’s talk about CFOs and Cyber Risk

CFO

If you have read my previous three blogs in this ‘Let’s talk’ series, you’ll know that we’ve talked about our conversations with CISOs and CIO – and now it’s time to turn our attention to Chief Financial Officers (CFOs).

The CFO’s job is really important. They’re the ones who determine financial strategy and budgets. Usually, they’re not technical, so in order to effectively communicate risk, you must do so in financial terms that the CFO will understand. If you fail to communicate the importance of cybersecurity in the language of business, it will have implications on your budget and therefore strategy. So how can you get them on your side and convince them for a bigger buy-in? Cold. Hard. Facts.

Here are some of the reservations we have heard firsthand from CFOs:

“Are these investments reducing strategic, regulatory, financial, and operational risks?”

Fines for non-compliance can be hefty so this is a common question we are asked by CFOs. Cyber-attacks have far-reaching implications and can no longer be categorized as an operational risk. An attack could have financial, regulatory, legal, reputational or even health and safety or environmental (HSE) consequences. When considering cybersecurity investment, it is important to know whether the spending will impact other types of risk.

CRQ can be a great tool for understanding how cybersecurity spending can reduce risk. As mentioned in our previous blog, you’ll be able to demonstrate how implementing controls can help reduce risk in line with management’s appetite.

 

“How is this going to help us reduce our insurance premiums?”

We touched on insurance premiums in the first blog, ‘Key Drivers Accelerating CRQ’. They’re not cheap and they’re rising every day. It will become very important for organizations to understand the need for comprehensive insurance premiums. 

Cyber insurance should be treated as a safety net for managing and mitigating unanticipated risks. But you need to understand what your loss exposures are in order to negotiate what is actually needed for your organization. CRQ input becomes a critical component when it comes to deciding cyber risk coverage. By increasing spending in one area, that’ll take from the budget elsewhere.

There’s no doubt this question will dominate conversations between CISOs and CFOs in 2022. As premiums rise, they’re going to have to rethink their risk management strategy – whether they’re willing to treat or transfer risk. It may be deciding whether they should take lower insurance and spend more on security.

 

“How can you demonstrate the value of CRQ?”

The CFO of a very large public company told us that one of his key struggles is receiving information from the CISO and not knowing what it means or what to do with it. They’re not technically focused so how are they supposed to interpret the data?

As the security team, you can become an enabler for CFOs. The problem is, we live in a bubble in security. We know (to some extent at least) what incidents and exploited vulnerabilities mean for us and our businesses. 

In the boardroom, however, it may not be so clear so we need to speak in the language of business. For example, when talking about vulnerabilities such as Log4J Shell, you need to explain the business impact and how it is going to jeopardize existing corporate priorities. That’s a healthy conversation to have but not necessarily an easy one. The rewards are highly beneficial because you create a better dialogue with the boardroom and enable better, strategic decision-making.

 

“Aren’t we compliant with GDPR, ISO 27001, PCI-DSS etc. already? Isn’t that enough?”

These regulations help organizations understand what they need to focus on in terms of their overall security risk posture; however, they shouldn’t be treated as a checklist. You’ve got ISO 27001 certification. You are GDPR compliant. You’ve checked some boxes – that’s great but compliance doesn’t always guarantee security or risk reduction. 

They don’t necessarily inform you how much risk you’re going to be mitigating or reducing by implementing one control over the other. For example, GDPR talks very well about data security, encryption, and anonymization. But it doesn’t answer the question, would implementing anonymization over encryption provide great ROI or better risk reduction? This is where CRQ helps you gain visibility into your loss exposures to determine which potential control you should prioritize to reduce those impacts.

CRQ is a good thing to do but in the near future, we expect to see more mandates and more regulations enforcing formal cyber quantification processes.

 

“How does it contribute to our annual growth plans, stakeholders, and consumer trust?”

More than ever, stakeholders (investors, customers, and vendors) want assurance that things are under control and there will be no scary surprises that may impact their interests. So cybersecurity should be aligned with your overall business objectives.

Quantitative analysis helps you focus on an area where you need more accurate and confident decision-making, especially when you’re working with competing business priorities. It raises the confidence level in terms of where you want to invest and why. This can be very powerful in supporting growth plans. 

 

These are just some of the conversations we’ve had around cyber risk quantification with C-level decision-makers.

The good news is, it’s not as hard as it sounds. ThreatConnect is already working with some very large, well-known organizations to quantify cyber risk. For some of our larger customers, we’re modeling over 50 different subdivisions and almost a thousand different assets including critical Crown Jewel applications. Typically, it takes about 4 to 6 weeks to get started and see the value.


We hope you found the insights and perspectives useful. But why not see for yourself? If you are interested in getting started with CRQ or want to know how ThreatConnect’s solution can help you achieve value, contact us. We will spend time learning more about your organization, business ambitions, and then use that data to create a customized report for you to take to senior management to initiate these conversations.

 

Read the other blogs in this series here:
Key Drivers Accelerating CRQ

Let’s talk about CISOs and Cyber Risk Quantification

Let’s talk about CIOs and Cyber Risk Quantification

Sawsan Hamawandy
About the Author
Sawsan Hamawandy

Sawsan is the EMEA Demand Generation Manager at ThreatConnect. Her interest in cyber risk management has led her to speak and write about how organizations can future-proof their strategies using insights gained first-hand from clients, prospects and partners. She began her career in cybersecurity at an MSSP in London then transitioned to a GRC vendor - where she helped large organizations including United Nations, Telkom SA and MOD.