All too easily, there can be a vast disconnect between security and finance. Chief financial officers are looking out for every penny, and security departments can be frequently written off as cost centers. However, there has been growing involvement and partnerships in both directions, with CSOs now successfully proving security’s value to the enterprise and CFOs championing security and cybersecurity initiatives to better mitigate enterprise risks.
For example, CFO Magazinerecently reported that CFOs should regularly review cybercrime-related intelligence to determine an enterprise’s risk of a cyber attack, how targeted information could be used by criminals, and what techniques are being used to perform cyber attacks.
“For today’s CSO, it’s absolutely essential to have strong collaborative relationship with your finance department throughout the enterprise,” says Steve Harrold, CPP, Director, Global Security for manufacturing enterprise Corning Incorporated. “The CFO can help the CSO effectively understand the finances of the organization, and the CSO can use that knowledge to better present good business choices for the security department and the organization.”
The question to ask, Harrold says, is how much are you really spending on security? This means tallying up expenses all the way from corporate to the local operating level, building a picture of where your budget is spent, which departments are impacted, and what risks are being addressed. In larger enterprises, this can mean jumping between silos – physical security, IT security, risk management – to build that holistic view of your business.
“You have to peel back the onion, the layers of your spending,” says Harrold. “Characterizing your spend is a way of building up your accountability and find some visibility into the appropriateness of your finances. You might find that facilities supplies like cleaning supplies or building maintenance have been folded into security spending.
“This research takes patience, diligence and a strong relationship with finance, but it puts you in a position to make good security spending decisions,” he adds.
An enterprise security leader’s critical task is to understand an enterprise’s state of security as it is before pitching any new initiatives to the C-Suite, he says. Being able to express the value of a potential investment in terms of risk and financial benefit to the enterprise is only possible once an executive understands the department’s current investments and ROI.
“Leverage and collaborate with your financial partners to help you tell this story through cash-flow analysis, return on investment analysis and other metrics. There are free tools online to calculate these, but it’s important to provide these numbers within the lens of your company’s culture,” Harrold says. “No one in the C-Suite would disagree with the goal of making workplaces safer, but you must also understand the challenges from an investment standpoint.”
According to Jerry Brennan, Chief Executive for corporate security executive search firm Security Management Resources: “A CFO’s world is very black and white – does (a program) cost money or make money? While there are security programs you might be able to show as cost-effective, you’re often dealing with risk mitigation and probability. It’s more challenging to come up with the metrics that will be recognized by a finance executive.
“What you can do to break through to a CFO is determine what keeps them up at night, in terms of risk,” he adds. “What are their feet being held to the fire for?”
According to Deloitte’s third-quarter 2014 CFO Signals™ survey, North American CFOs have strong concerns about the implementation of information security plans – 74 percent of 103 CFOs surveyed said cybersecurity is a top priority, and only six percent do not view is as a high priority. More than half of the CFOs surveyed cited anxieties about the security of data, intellectual property and facilities.
Enterprise security leaders can use these drivers and risks to better present security initiatives to CFOs.
“The role of the CSO crosses every single function in an organization; to do it well, you have to have a very good understanding of your enterprise and develop partnerships with other internal programs,” says Brennan. “Many executives still see security as guns, guards and gates – other risks aren’t on their radar yet. As a security executive, propose programs that already have buy-in from internal clients, pitching them as a service to enhance the business, not just an operations center. This helps you bring more diverse risks and functions to the CFO’s attention with the support of other business leaders.”
For security leaders looking to gain more business acumen, Brennan recommends keeping up to date on all regulatory and legislative issues to better address compliance to the CFO and C-Suite.
“It is extremely important to be business savvy,” he says. “It’s up to the CSO to provide a level of education about enterprise risk models from a security standpoint and a business standpoint. Take MBA-level courses, basic financial courses and classes in international finance. Find educational opportunities that relate to your company. Talk to your peers – find what’s pressuring their departments and see how you can be part of that team.”
Harrold finds value in what he calls “smart meetings,”in which a new executive to a company should reach out to other departments to review missions, form partnerships and help newcomers understand the different functions within an enterprise. These meetings demonstrate a CSO’s strong interest in bringing overall value back to an organization instead of striking off on his or her own.
“There are many paths to a decision-maker,” Harrold says. “There are always influencers or issues that the CFO does care about, and it’s a matter of linking security and risk to those issues. I call it ‘leaning on the door,’ instead of barging through. Persistence and consistence in this, in finding where your investments can bring value and drive the organization forward, is how I define success.
“Trust is built over the course of dealings, and consistently pitching value-driven, business-minded initiatives that help departments outside of security helps to bolster that trust.”