CISO-CFO collaboration is on the rise as companies invest heavily in privacy and security protections, strive for infosec compliance and scrutinize profitability of any and all technology investments. In fact, survey data from Robert Half show that 82% of chief financial officers have increased how much they work with information chiefs compared with three years ago.
“They are both trying to accomplish the same things: prevent business losses due to a loss of confidentiality, integrity or availability of the business-critical technical services and data of the organization,” says Christopher Gerg, chief information security officer and vice president of cyberrisk management at Madison, Wis.-based Gillware. “With an agreed-upon roadmap for the information security program, and through that all of IT and the business, expenditures can be planned and expected outcomes monitored.”
How to improve CISO-CFO collaboration
“It comes down to relationships and communication,” says Jack McCullough, president of the CFO Leadership Council. “Don’t make decisions in a vacuum.”
That means engaging the CFO in your strategic decision-making and offering your counsel to them.
- Establish common ground. Too many executives look at the CISO as a cost center with “some cryptic agenda that itself was not trusted and needed to be closely managed,” Gerg says. It comes down to the CISO building trust with the other executives. To do that, he says, “Make the case that the [you both] have similar challenges,” such as: audit and compliance obligations, the need to prioritize spending or effort based on risks to the organization, limited resources to address risks, and the need to express proposals to other executives and the board in a way that they will be able to understand and internalize.
- Ask for an assist. Everyone likes being seen as an expert. Ask the CFO to help you convey the technical risks in terms of cost or potential losses to the organization, or to quantify the potential return on infosec decisions.
- Coordinate on security and compliance. As the other person in the company concerned with compliance and risk mitigation, the CFO can help you develop a risk-based justification for cybersecurity training and technology to protect against ransomware and wire transfer fraud. “Both of these mechanisms can be largely addressed through user awareness training. Relating the investment to real risks makes this investment an easy ‘sell,’” Gerg notes. The CFO can even help you make a tangible business case for intangibles associated with a cyberattack. “This is critical not only because you don’t want your data stolen, but it exposes the company to so much more: privacy lawsuits, loss of customers, reputational risk,” McCullough says.
- Grow your influence. By working together with the CFO to create an enterprise risk profile that includes the technical and financial risks to the organization, you raise your profiles and increase your respective influence. An enterprise view supports risk-based decision-making that covers a broader range of threats to the entire organization.
“Ultimately, since reducing risks and maximizing return on any investments is the goal of both the CISO and CFO,” Gerg concludes, “collaboration is a must.”