CISOs frequently encounter inherent conflicts with business colleagues in their day-to-day responsibilities. In many ways, this is the nature of setting security policies for an organization. But the goal for CISOs should be to reset this dynamic and forge a strong, collaborative alliance with their critical leadership counterparts.Take the CFO, for example. For many CISOs, a phone call from the CFO often signals bad news, perhaps an impending budget cut due to business challenges. In some enterprises, the CIO reports directly to the CFO and has developed more experience navigating the CFO’s perspective, not so for the CISO.In a recent CFO and CISO ADAPT Alliance lunch event, Dipak Golencha, global CFO of Palo Alto Networks,stressed how strategically important it is for these two executives to learn to speak the same language.”Cybersecurity is an existential threat to every company. Gone are the days where CFOs could only be fired if they ran out of money, cooked the books, or had a major controls outage,” he said. “Lack of adequate resourcing of cybersecurity is an emerging threat to their very existence.”This sentiment reflects the reality that for most organizations cyber threat is the No. 1 business risk today, and this has significant implications for the strategic survival of the enterprise.It’s time for CISOs and CFOs to address the natural barriers to their relationship and develop a strategic partnership for the good of the company. There are three key areas where CFOs and CISOs typically encounter friction in their relationship: budgets and investment, business operations, and project delivery.Here’s a breakdown of the inherent challenges in each:
Budget and investment
The CFO’s primary perspective is prioritizing investments that drive revenue or reduce costs. Conversely, the CISO typically represents the highest spending within IT, with technology typically being the largest operating expense pool. While the CISO aims to prioritize enterprise security investments, the CFO may struggle to understand the nuanced spending.Key challenges include:
- Cyber investments often lack a clear financial returnRisk reduction benefits appear intangible compared to traditional financial metricsQuantifying the value of preventative security measures is difficult
Business operations
Both roles share a fundamental interest in minimizing business disruptions and maintaining system availability. However, their approaches differ:
- The CFO focuses on process efficiencies and maintaining business-as-usual operationsThe CISO may introduce cyber controls that potentially impact customer experience
Project delivery
The CFO seeks timely project completion and benefits realization. The CISO can inadvertently become a source of project delays when:
- Security issues are discovered late in the delivery processCyber teams are not engaged early enough in project planningCritical security concerns are raised, risking perception as project impedimentsThese factors all contribute to the natural tension that can occur between the CISO and CFO. Based on this foundation then how do we reset this into a partnership?
Building the CFO-CISO Alliance
CISOs should be aware of a few key strategies for improving collaboration with their CFO counterparts.The first is reverse mentoring. Because CFOs and CISOs come from differing perspectives and lead domains rife with terminology and details that can be quite foreign to the other, reverse mentoring can be important for building a bridge between the two.In such a relationship, the CISO can offer insights into cybersecurity, while simultaneously learning to communicate in the CFO’s financial language. This mutual learning creates a more aligned approach to organizational risk.Second, CISOs must also develop their commercial perspective. It is often said that technology leaders need to develop the skills to become business leaders. Here, that translates to developing the ability to:
- Prepare business cases that resonate with financial leadershipDemonstrate the commercial value of data risk mitigationTranslate security investments into language understood by financial executives
A third requires improving collaboration and for CISOs to better understand and align their cybersecurity strategies with the CFO’s preferred solution approach. Typically, this will call for “pragmatic solution integration,” as CFOs often prefers integrated solutions over “best of breed” approaches for budget and investment purposes. Understanding how the CFO thinks in this area can lead to more effective and approved cybersecurity strategies.
The AI opportunity
These approaches can help drive the reset between CISOs and CFOs. But the evolving AI era provides the opportune moment to do it.The emergence of generative AI presents a unique partnership opportunity because CFOs are eager to leverage AI for productivity gains and CISOs bring critical perspectives on potential AI-related risks. Together, they can develop strategies that balance innovation with risk mitigation, two key pillars for enterprises today.Take the proactive approach to seek out your CFO and offer him or her a more integrated relationship, start slow but be purposeful with this intent in mind.The CFO-CISO relationship is not about overcoming conflict but about creating a synergistic partnership that enables safe business growth. By understanding each other’s perspectives, communicating effectively, and aligning on organizational goals, these leaders can transform potential friction into strategic advantage.Best wishes in that journey to make this a win-win.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3801015/the-cfo-may-be-the-cisos-most-important-business-ally.html
