Reporting to the CFO can improve discussions about funding: There’s art and science to secure funding. Number matters in getting budget approval, and cybersecurity is at pains to be seen as more than a cost center. However, two-thirds (66%) of CFOs don’t fully understand the CISO role and have difficulty seeing the tangible return on cyber investment, according to an FTI consulting survey. It’s something many CISOs know all too well.”A CFO comes through the finance ranks without a lot of exposure to IT and I can see how they’re incentivized to hit targets and forecasts, rather than thinking: if I spend another two million on cyber risk mitigation, I may save 20 million in three years’ time because an incident was prevented,” says Schat.Budgeting and forecasting cycles can be a mystery to CISOs, who may engage with the CFO infrequently, and interactions are mostly transactional around budget sign-off on cybersecurity initiatives, according to Gartner.Without more opportunities to interact, the disconnect on objectives and communication gaps between CISOs and CFOs can exacerbate the problem. “If there’s no common understanding of what you’re trying to achieve or prevent, technical security people may not understand that what they’re saying isn’t heard by the CFO in a way they can make sense of,” says Schatz.CISOs who report to the CFO have time to build a common language that can overcome some of the obvious gaps between technical and finance camps that goes a long way to justify and secure funding. This includes explaining cybersecurity is part of the organization’s insurance against attacks, potential fines and revenue loss if a vulnerability is exploited, and why cybersecurity investments protect the company’s long-term financial stability.”Talking about security, you’re talking about the future and trying to have conversations about why finance needs to up the insurance policy by giving security more money because otherwise things could go horribly wrong,” Bennett says.
Reporting to the CFO reduces CIO-CISO conflicts of interest: Where IT is primarily focused on technology performance and project timelines, security can be seen as a hindrance, leading to conflicts of interest between CIO and CISO responsibilities.”If you look at a CIO’s remit, generally it’s their role to provide performing technology systems that are on budget, preferably ahead of time, whereas from a security perspective, we might hinder all of those factors,” says Bennett.It’s not uncommon for CISOs to find security seen as a barrier, where the benefits aren’t always obvious, and are actually at odds with the metrics that drive the CIO. “Security might slow down a project, introduce a layer of complexity that we need from a security perspective, but it doesn’t obviously help the customer,” says Bennett.Reporting to CFOs can relieve potential conflicts of interest. It can allow CISOs to broaden their involvement across all areas of the organization, beyond input in technology, because security and managing risk is a whole-of-business mission.”It’s why security should not be seen as a technology function, but as a business function that spans across various areas,” says Bennett.In Schatz’s case, his change in reporting structure to the CFO also elevated the CISO role to become a peer with the CIO, who similarly reports to the CFO. “It depends on the people involved, but I have a very good relationship with the head of IT, who’s not a security person, but he has very good IT skills and is very open for guidance on cybersecurity,” he says.Working productively together, he’s able to provide guidance on cybersecurity and they have regular conversations about priorities and resources, with shared rather than any competing objectives.”We have very regular conversations about what are the priorities, how should we go about this and what kind of resources are more appropriate in which area,” he says.The change in reporting structure also brought added responsibilities to his remit, Schatz acquired organizational risk management in addition to cyber risk. It requires a holistic understanding of the business and means managing risk everywhere across the organization.”Where the CISO is very much focused on cybersecurity, now looking at enterprise risk management, it definitely requires a better understanding of the core business purpose and what we’re offering our customers,” he says.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3964405/reporting-lines-could-separating-from-it-help-cisos.html
