Has the CFO now overtaken the CISO as the most important person in strategic cybersecurity thinking? Why is this? And is budget the only metric for cybersecurity success?
So, let me clarify with this age-old piece of military wisdom: “Vision without resources is hallucination.” The CISO may strategise all she or he may want but, if revenue or budget can’t support the execution of the security strategy then the CISO is dead in the water. The days of “here is a pile of money” spend it how you like are long gone and when you think about it 70% or more of the CISO’s budget is on the staff salaries so that 30% left is really the only flexible item. And it gets worse. As out of that 30% renewals of the existing security estate are allocated. That might further reduce the available “new cyber security things” budget of 20%
When it comes to communicating with the CFO, why is the onus on the CISO to “speak the language of the CFO”? Is there a responsibility on senior management (including the CFO) to also “speak the language of the CISO” and understand the impact of cybersecurity on the business?
“Speak the language” is a great way of kindly saying “in touch with the business reality.” When it comes to IT and cybersecurity demand is exceeding capacity in many of the businesses I know. Between audit points, regulatory requirements, pen test findings and vendor due-diligence requirements the security posture of the organisation is being examined over and over again. The smart CISO needs to identify the “one” thing that can make some of the pain go away. The way to get funding through the demand management system is to lead with “low-cost/high-impact” solutions and be armed with the answer to the question “can we afford this cyber security solution?” Cross business unit support is necessary, but the “buck” of funding always stops at the CFO’s desk.
Are stakeholders and investors now paying more attention to the cybersecurity of their potential investee organisations?
Institutional investors and venture capital firms are generally looking at bottom line performance and EBITA data. Cybersecurity may be regarded as a general performance risk and at least in public companies that risk is articulated in SEC filings and annual reports. I think we have felt the “flash” of the GDPR but not the “bang”. The “bang” is really going to be series of costs related to regulatory fines and class action settlements or class action judgments. The only way to really make investors and venture capital firms notice is when a data breach or cyber event becomes an existential threat to the company. It’s only been a limited amount of specialised companies generally under 30 million in annual revenue that have been wiped out by a cyber-attack or cyber espionage event. Out of everything that can go wrong in the world of investment and VC I don’t think cyber is what is keeping the investment and VC world up at night. The NotPetya attacks cost firms over 2.2 Billion but so far 0% of those firms have filed for bankruptcy – something to keep in mind.
You have mentioned that given the “big picture” threat landscape in the context of rapid cloud adoption it’s pretty clear tactical cyber security will become more miserable, more consuming and less aligned to the business over time. Why do you think that Cloud adoption will have this impact? Is it not possible to be “tactical” about Cloud security?
The bottom line I’m looking at here is maybe not expressed as tactical vs strategic. It may be better to describe as fighting on shifting sands. If the business environment is changing and your security program is not you are out of touch and subsequently the value of your security program can be challenged. We know that cybersecurity is war without end. You can always spend more and do more but, the security activity has to take place in the context of the business needs. If you are thinking about submitting for a new “next generation” thing but, that thing can’t support hosted services and the business wants to move as many business services to hosted infrastructure, what the hell are you even doing? What I see in that scenario is not a new “next generation” thing I see a hosted services security training opportunity. You need to take a look at how to evolve the security program at the same rate and direction as the overall business strategy. If you don’t know the business strategy, then you are missing the key input into the cyber security strategy. A great benchmark to see if you are out of touch is the detection of shadow IT. If a business unit has just gone ahead and purchased something to meet a business need it maybe because you (when asked or not) did not have a solution available.
Companies, such as Starwood Marriott, BA, Morrisons, are now facing class-action lawsuits as a consequence of being breached. How do you factor this into the overall calculation, and quantitative risk modelling of cybersecurity cost to the business?
You can’t. Yet. Clean-up costs, regulatory fines and class actions are not easy to compute in advance. Residual effects such as customer loss, customer market confidence is much harder to compute – what is the effect of a data breach on our key customers? Really hard to articulate if your view is from IT or cyber security. I think the only meaningful way of risk modelling for your organisation is to table top or war game out some impactful events with all the business stakeholders. Sales, Marketing, Risk, Audit, Legal, HR along with the players IT, cyber security inputting into the scenario IT probably does not know about accounts that may be in jeopardy of leaving, cyber security may not know about contracts in place which may have performance SLAs or deliver of service requirements. Every business has a unique value proposition and resilience of the organisation to a cyber security event is going to very considerably.
How do you think the role of the CFO will evolve when it comes to cybersecurity and cyber-risk? Will they continue to be the “most important person” in cybersecurity strategic thinking? How will this affect the role of the CISO? Where will the accountability for cybersecurity and cyber-risk lie within the organisation?
I think the CFO is going to take more cyber information into account when stamping approval on projects or third-party contracts. The only way to “blue team” the supply chain is to insist on vender cyber security due diligence as part of the contact for services and onboarding process. The CFO can really impact the business by demanding solutions which clearly reduce risk in the organisation, diversify that risk across to a 3rd party or leverage cyber insurance to accept the risk. As the keeper of all the business numbers the CFO can provide the CISO with “what is possible” under the current business climate. It’s easier to ask for a cyber security solution when you already know the money exists to give you the cyber security solution.
Ian Thornton Trump is Head of Information Security at AmTrust International for UK & EU markets and will be sharing further insights at the 17th anniversary e-Crime and Cybersecurity Congress over the 5th and 6th March 2019