world tour:
Join us for a live look at how Menlo’s Secure Enterprise Browser puts you ahead of attackers
As Menlo’s Chief Financial Officer (CFO), I’ve seen expectations for the role of Chief Information Security Officer (CISO) grow a lot over the past few years, as threat actors are increasingly evolving their tactics and ramping up attacks to take advantage of the shift to hybrid work. As threats continue to evolve, CISOs’ tools need to evolve, too. However, CISOs can’t get all the tools they need to do their job if they don’t receive buy-in from their organization’s CFO. Simply put, budgets are critical for CISOs, given today’s threat landscape.
During the budget process, CISOs need to be strategic with their requests — while the potential for threats may seem unlimited, budgets certainly aren’t. That’s why it's key for CISOs to take steps to build a strong relationship with their CFO, so both roles can better understand what’s on the other’s plate.
Having the CFO’s ear is crucial to the success of your security strategy. It’s best that you know how to speak their language. There is no industry standard for how CISOs should communicate with CFOs, but below are some of my tips for ensuring that the conversation goes smoothly.
CFOs need to plan budgets well in advance of next year. Don’t let the budget cycle pass you by and miss out on an opportunity to get all the tools you need to secure your organization.
A lot of the forecasting that’s done for the next year comes together in September, so CISOs should aim to discuss any increases in budget by July or August. This allows a CISO to temper the conversation and alleviate any sticker shock on a budget request. But just discussing the budget isn’t enough, and CISOs should be as specific as possible when trying to get ahead on budget items so they can take their ask from a “nice to have” to a “need to have” from a CFO’s perspective.
Don’t be afraid to go too deep into detail, and don’t oversimplify the conversation. A CFO may not know as much as a CISO about the technical side of how security works, but including as much information as you can about why you need more budget can only further a CFO’s understanding. A CFO can always move the presentation along or ignore unnecessary details if need be.
Including technical details helps a CFO paint a clearer picture of what the capital will be used for, even if the CFO doesn’t understand everything about how the technical side works. Information still helps to instill trust and allows a CFO to dig in a little bit more so they can ultimately get on the same page as you and buy into your cybersecurity strategy.
When communicating with a CFO, don’t tell a doomsday story about how a large security investment is necessary to protect against an existential threat with little other rationale — that fails to take into account all of the other departments a CFO has to budget for. Don’t lose sight of what’s on a CFO’s plate.
CFOs play a game of trade-offs, and each investment needs to justify its worth. As a part of budgeting for the year, CFOs create an annual operating plan that allocates budget based on benchmarking data for each department’s efficiency. Being a partner in that process and clearly answering the question of “What are we going to get for it?” makes a CFO’s job much easier.
The last thing you want to do when asking for more budget is to show up to a meeting without discussing the topic beforehand and blindside the CFO with a barrage of numbers. Or even worse, submit a budget request without explaining it at all and expect the CFO to play detective. That’s one nameless charge compared with dozens of other nameless charges, and it doesn’t tell a CFO nearly enough to greenlight it.
Instead, send over slides or an explanation of what you plan to go over a day in advance, and make sure to include a clear accounting of the numbers. Sending over a PowerPoint turns the conversation the next day from a one-way conversation into a two-way conversation, and prevents surprising the CFO with a budget request that would otherwise produce an initial shock value.
A CFO’s decision to buy a solution is never complete. Every year, that product is put to the task of proving its worth, and budget could be pulled at any renewal. Don’t operate silently in the background and let the CFO forget about you come renewal time.
CISOs are often fighting wars behind the scenes, even if everything looks good on the surface. Let the CFO know about your victories. Sending reports including stats that show the potential loss prevented, like how many attacks your solution has stopped and how many people clicked on malicious links, quantifies a security solution’s return on investment, and ultimately proves the value of your selected product.
Though these tips can help you build a stronger partnership with a CFO, don’t expect to get every security tool you want. Budget isn’t infinite and not every threat vector can be completely closed off. CISOs will need to go through a similar prioritization process that CFOs do.
That’s why it’s critical for CISOs to stretch their dollars and focus on security solutions that are built to prevent threats completely across a particular vector. Coming to the table with that type of solution will show the CFO that you’ve done your homework and ultimately are on the same page. A CFO can be a great ally for a CISO who makes the effort to understand and align with them.
