Communicating Cybersecurity ROI to Your CFO

Originally published by Abnormal Security.

Written by Arun Singh.

Over the past several months, organizations have felt the strain of tumultuous economic conditions. Budget reductions ranging in severity from technology spending cutbacks to throngs of employee layoffs have sent waves of uncertainty throughout the workforce. And while cybersecurity spending has historically been shielded from budget slashing, as the risk exposure could lead to greater costs than the technology itself, it is no longer immune from the chopping block.

CFOs are tasked with evaluating all aspects of profitability across the organization, making it sometimes difficult for CISOs and security leaders to prove the business value of security spending. To gain a deeper understanding of how this evaluation process affects technology adoption, I spoke with a few key Chief Financial Officers in the industry.

In a series of recent blog posts, I chatted with Sam Wolff at Domestika, Adam Meister at Clari, and Bill Losch, formerly at Okta to get their perspective on the current state of the macroeconomic environment. This blog is a culmination of their expert insights and advice which I hope will help your organization prioritize cybersecurity technology.

Starting the Conversation with Your CFO

When it comes to evaluating technology spend of any kind, CFOs must look through a more meticulous lens than ever before. It’s important for CISOs to go into the budget conversation with some level of risk tolerance.

The reality in this environment is that CFOs and internal finance teams are more risk-tolerant and are willing to make more difficult compromises. CFOs won’t be able to allocate the same budget to cybersecurity they did a year ago which means CISOs and security leaders must be strategic in prioritizing the most impactful features of the technology they are championing and how to position them as invaluable to the organization. This will require CISOs to reassess the technology they are currently using and strike a delicate balance between the risk and the reality of their spending. It’s crucial to set expectations for both sides of the table from the onset. Come to the conversation with a realistic mindset that not all of your asks will get funded.

Making the Case for Security Spending

Once you’ve set the tone for the budget discussion, there are a few best practices you’ll want to consider when making your case. The following tenets were suggested by the CFOs we spoke with. Using these tactics, you can ensure a more productive and fruitful conversation.

Speak a Common Language

CFOs understand risk and tradeoffs well, so present your security plan in that light. Rank your risk areas and clearly (in a non-jargon way) explain the impact of the risk area on the company, the coverage, and how the investment will help mitigate the risk.

Outline Risk Priorities

Highlight the top risk areas requiring the most attention and how those risks can be remediated. Be prepared to rank priorities based on risk, knowing that a solution to every need may not be possible.

Provide the Right Data

Utilize reputable threat reports and case studies from businesses within the same industry. This allows your CFO to not only see the potential risk of what could happen by not implementing a security solution but also provides them with a framework of knowledge about cybersecurity as a whole.

Distinguish Security Solutions

One of the most difficult things for CFOs and security teams to see eye to eye on is the need for more than one security tool as there's so much overlap in security. Be prepared to explain why multiple tools are needed and if/how they can work together to create a holistic security stack.

Choosing the Right Solution for Your Needs

Of course, the most important decision will be choosing the right security solution for your organization. There are numerous factors to consider when evaluating all of the technology our market has to offer. Some of the most crucial benefits aside from superior threat detection and remediation, are cost efficiency and the ability to speed up manual processes. You should invest in a cybersecurity platform that effectively protects your organization, saves time and effort, and is cost-effective overall. Showcasing a solution that encompasses these values to your CFO will only serve to further your case for security spending.