Managing Cyber Security Costs in a time of fiscal restraint

Summary

   - There is topic fatigue when it comes to talking about cyber, data and technology risks.
   - Fatigue and disinterest however do not change the reality of the risks.
   - Organisational and personal liability risks specific to the role of the CFO’s - due to the current economic and regulatory climate - are now more relevant than ever.
   - Whilst potentially initially cause for concern, CFOs are encouraged to instead see this as an opportunity to further enhance the value they add in directly assisting their organisations become more resilient, whilst exploring cybersecurity spend efficiencies, improving margin and enabling business outcomes.  
   - Whilst successful CFOs have their traditional finance focused area of personal expertise, they will be doing themselves and their organisation significant service by enabling macro-objectives through understanding and facilitating good cybersecurity strategy.

 

Overview

One of the most overused statements in 2023, which looks to continue its trend into 2024 is that cybersecurity risks are the #1 risks to business (or any iteration of). 

Whilst not dismissing the reality and seriousness of the statement, the overuse has been overbearing for many. The overbearing nature has led to many suffering from fatigue on the topic of cybersecurity risks. The risk and its impact however remain as relevant as ever, and is going nowhere or diminishing any time in the foreseeable future.

Many organisations (arguably all) rely heavily on technology and data, yet often overlook or under-prioritise understanding and managing associated risks. Instead of addressing these risks, discussions tend to emphasise the convenience and benefits of technology and data usage.

Irrespective of interest or understanding, there are client, societal, and regulatory responsibilities to identify, understand and mitigate cybersecurity risks. Ignorance, or lack of understanding in this space is a non-acceptable and fraught with risk position to take. The responsibilities only increase with seniority and are not relevant to related roles (i.e., that of a CISO) only.

Enter the CFO

Traditionally, the primary function of the CFO was that of 'finance' wherein responsibility was to ensure that the company stayed “financially healthy” and could meet its obligations at any time – the CFO was in other words the "guardian of the books". While this responsibility remains an important one today, the evolution of the role has embraced a wider and more common range of responsibilities such that today's CFO has to be sensitive to many factors other than the financials, needing to address issues such as corporate governance and risk management. 

Whilst previously not perceived as directly within the CFO’s remit of responsibility, now more than ever, the modern-day CFO has much more of a direct input, oversight and responsibility for cybersecurity, the associated investment and therefore, an organisations resilience. 

With the ultimate responsibility of organisation cost allocation/focus, spend, and profitability, the consequences of being ignorant to, or the inappropriate or incorrect investment in cybersecurity are significant to the organisation and personal liability of the CFO. Beyond significant operational, reputational, and regulatory consequences, there are also increasing role specific obligations that lead to potential personal liability exposures. 

Further, there is a foundational trust and reliance that Boards place in the CFO, that doesn’t simply mean decreased profits or a meaningless list of endless tasks. They mean an expectation of the CFO to facilitate “better business”.

Corporate governance and risk management therefore necessitates the CFO to have more than a fleeting understanding or review of cyber security, given technology’s foundational relevance to all business. The current business landscape is important, given the ongoing, increasing coverage by the mainstream media around cyber events. 

Even worse, and speaking again to the current fatigue, CFOs have heard from CISOs (or equivalent) the doom-and-gloom predictions of the potential fiscal disaster of a catastrophic cyber event, or data breach so often that it is no longer resonating with them. The “doom” scenario however is not hypothetical — global compliance requirements and privacy regulations drive the cost of a breach even higher than just the technical costs. However, CFOs and other C-level executives have heard these warnings so often now that there is a genuine risk that cybersecurity risks now fall into being “just background information” that doesn't drive their decision-making.

Finally, add to the mix an economically challenging environment, the cost of cyber spending in Australia has been rising constantly. Gartner recently reported that cyber security spending had increased by 11.5 per cent in 2022 to reach $7.74 billion, with 42 percent of CISOs expecting cyber security budgets to increase over and above inflation rates.

CFO’s are right to be challenged. So, what can CFO’s do? Below we have outlined the principles of our approach when engaging with organisations on cybersecurity strategy, and applying a CFO lens. 

 

RedBelts Guidance 

 

Identification of the goal 

So where to start? In our experience, the conversation can never start too early, or be too progressed when seeking to include the CFO on cybersecurity strategy for their organisation. This should certainly begin before the CFO is approached for acceptance of cybersecurity strategy funding. Engaging the CFO early, or preferably if the CFO proactively seeks to be engaged on cybersecurity strategy early facilitates an approach where identifying and understanding relevant risk first, and seeking solutions/investment to protect the right assets is enabled as opposed to the often default/blanket approach of protecting all assets rather than the crown jewels. 

Defining an acceptable cyber risk appetite with the CFO helps the CFO understand the importance of aligning cyber risk appetite with organisational objectives and strategies, ultimately fostering better collaboration and decision-making.

This can be difficult, as there can be a requirement for a mindset shift by CFOs and executives regarding the allocation of resources towards cybersecurity. Traditionally, CFOs have been focused on understanding capital expenditures (CapEx) and the return on investment associated with them. This focus has led to many businesses adopting "asset-light" strategies, which involve minimising CapEx by outsourcing IT infrastructure. However, this mindset sometimes causes executives to hesitate when it comes to investing in cybersecurity measures, as they perceive it as detracting from the efficiency of the asset-light model.

For businesses operating in traditional asset-heavy models with IT overlays, the need for cybersecurity spending is emphasised. This spending may impact profit margins or require adjustments in pricing for customers. Ultimately, the message is that investing in cybersecurity is now an integral part of conducting business. Regulators, banks, and investors increasingly view cyber resilience as adding value to an organisation, making cybersecurity investment essential for maintaining competitiveness and safeguarding against potential risks.

The Chief Information Security Officer (CISO) is traditionally responsible for maintaining a controls environment aligned with the business's risk tolerance. However, there's growing awareness that significant cyber security incidents can lead to reduced revenue and hinder profit forecasts shared with investors. These losses may stem from reputational damage, customer loss, legal expenses, regulatory fines, and compliance issues. The C-suite, typically accountable for these outcomes to the board and stakeholders, must be involved in determining the level of protection worth investing in to safeguard these outcomes. This summary in itself logically dictates the essential need for the CFO to have strong involvement in cyber security strategy. 

Effective cybersecurity strategy (and the associated investment in that strategy) is crucial for shielding the organisation from incidents that could materially impact its ability to achieve strategic goals. This emphasises the importance of tailoring the strategy to align with the organisation's specific objectives, risks, and regulatory requirements.

Language and the disconnect 

Understand how cybersecurity decisions affect the business. In quite a few companies, the lack of CFO involvement and understanding of/with technology and cyber security stems from discomfort with respect to related topics. The result is that cybersecurity is deprioritised and rarely, properly discussed. CFO’s need a good, basic understanding of technology and cybersecurity. 

CFOs don’t need to know how to delve into the technical aspects of cybersecurity, but they do need to understand the principles of critical aspects of the business. And that includes what different technologies do, or mitigate.

There is a need to translate cyber security decisions around solutions and investment, into the organisation’s overall objectives. In most companies, cybersecurity has a budget cap based on the average industry spend, and that cap rarely moves. However, if cybersecurity initiatives are expressed in terms of a clear ROI, the CFO can more easily quantify the value of an investment, and ultimately support such. 

Risk that is quantified can be reduced. Specifically, it is true of increased scrutiny of cyber preparedness. Because a major attack could destroy or at least erode consumer confidence in your company, being better prepared and more cyber resilient can only be a benefit. Financial risk is directly impacted by cybersecurity, such as money lost through fraud enabled by cyber, revenue lost when services are taken offline by cyber-attack.

This is key to changing the perception that security spending is just a cost; now it emerges as a business enabler. Good cyber security will also allow you to take some risk in using new technology to innovate. An overly cautious approach to risk can lead to missed business opportunities or additional (and unnecessary) costs. 

Finally, the CFO and CISO can then, together, also make the case for better security delivering more revenue. Does higher security investment make prospective customers more comfortable? Is lack of security making some existing customers leave? 

"If you can shorten that sales cycle and prove that security gained more sales, it can be highly persuasive for the CFO: 'Today, three customers walked away, but tomorrow none will”. 

Spending more = success?

“The more we spend, the more secure we will be.”

Whilst certainly not advocating for a reduction in anyone’s Cyber Security budget, according to recent McKinsey research, there is no direct correlation between spending on cybersecurity (as a proportion of total IT spending) and success of a company’s cybersecurity program. 

In fact, some companies that spend quite a bit on cybersecurity are actually underperforming the rest of the market with respect to developing digital resilience. Simply paying for “best-of-breed” is not the right approach when organisations could look to alternative implement a much more appropriate strategy and associated solutions, which is holistically a much better outcome.

Throwing money at the problem may seem like a good idea in the short term — particularly when an intrusion, disruption or loss of data occurs — but an ad hoc, or pure increase in spend approach to funding will likely not be effective in the long term. The current challenging economic environment only re-enforces a need to dispel this mis-conception, with the commercial realities of the current economic landscape being influential on cybersecurity strategy, and therefore associated spend being more relevant than ever. 

CFOs with their CISO’s or cybersecurity consultants instead must come to a shared understanding of costs, value and impact and develop a clear strategy for funding cybersecurity strategy. Without this shared understanding, CFO’s may baulk when a cyber event or data breach occurs after they’ve funded significant changes in security infrastructure. 

Cost/suitability of solutions

“The more advanced our technology, the more secure we are”.

It is true that cybersecurity teams often use best in class solutions or technologies to protect data and other corporate assets. But it is also true that many threats can be mitigated using less-advanced methods. In fact, according to research, more than 70 percent of global cyberattacks come from financially motivated criminals who are using technically simple tactics, such as phishing emails.

When companies invest in advanced technologies, but do not understand how best to use them or cannot find properly skilled administrators to manage them, they end up creating significant inefficiencies within the cybersecurity team, thereby compromising the cybersecurity program overall.

This is not to say that companies should not explore the latest and greatest technologies, but it is also critical that companies establish and maintain good security protocols and practices to supplement emerging technologies—for instance, developing a robust patch-management process. 

To use patching as an example, a patch covering the vulnerabilities that could be exploited by the WannaCry cryptoworm was released March 14, 2017 — some two months before the ransomware worked its way into more than 230,000 computers across more than 150 companies.

Why now? Why important and why relevant?

As referenced at the start, despite every organisation having a fundamental reliance on technology and utilisation or need for data, many have either been quick to dismiss, or not dedicate enough time and resources to gain an appropriate understanding of the associated risks with technology and data reliance and utilisation and mitigate it. 

Conversations are instead - arguably because it is much easier - continuing to focus on the convenience and interconnectivity technology provides, and the value in holding and using data. 

Ironically the significant increase in mainstream media coverage that is contributing to the fatigue have made understanding the fiscal, operational, and reputational consequences of cyber events quite clear. We also have the mainstream media to thank for organisations now understanding the irrelevance of a “not being targeted” argument, with an ever-increasing number of cyber events caused by tech and non-tech third parties and vendors. The UK’s National Cyber Security Centre’s “Cyber Security Toolkit for Boards” outlines the later well, noting all organisations will have a relationship with at least one other organisation (be that the provider of your email service, or the developers of the accounting software you use, through to your traditional procurement supply chain). 

Most organisations will be reliant on multiple relationships. Each of these relationships will have a level of trust associated with them, normally some form of access to your systems, networks or data. It is the responsibility of organisations and the executive to be more focused and deliberate about cyber preparedness, which should also directly involve the resilience of associated entities like third-party suppliers.

Timeliness from ASIC and Joe Longo

At the Keynote speech at the Australian Institute of Company Directors (AICD) Australian Governance Summit (21 March 2024) ASIC chairman Joe Longo has told company directors complaining about higher regulatory burdens to get on with the job and act with integrity…very direct messaging.

Executives, directors, and officers face a labyrinthine of statutory obligations, significant community, social and ethical expectations, and a dynamic and evolving set of challenges and risks to manage.

CFOs (as do the broader executive) have to get the balance right: and are essential in contributing to showing their organisation is putting customer/client interests first, and as dictated by Joe Longo, show them they’re not just there to make a profit, but that they are acting with integrity, and that they are doing the right things by their staff and by their local community. 

Specifically, it is true of increased scrutiny of cyber preparedness. Because a major cyber event could destroy or at least erode consumer confidence in your company, being better prepared and more cyber resilient can only be a benefit. 

Specifically, there is a requirement to ensure directors and officers are acting with care, diligence, and in good faith. There is an associated requirement to ensure CFOs have a continuous curiosity to understand all aspects of the company's core business and the risks associated with it. That means making a genuine effort to understand how the organisation makes money. And that’s not trivial. 

To use an analogy CFOs will very much identify with, one only needs to recall that during the GFC we learned that a number of bankers evidently didn’t know how they made money nor understood how key financial instruments worked. 

Finally, ASIC sought directors and officers to ask of themselves: What are the key drivers of your profitability and who are your customers, where’s your data? 

“These may seem like basic matters. They are. That’s why they matter. And when you’ve demonstrated to yourself that you know how your company makes money and you’re acting with honesty and integrity, then hopefully you’ll be able to have a sensible conversation with yourself, and with your fellow directors, about the risks and what can go wrong.”

Conclusion

 

Taking it back directly to cybersecurity strategy, CFO’s and the broader executive need to be addressing the following two fundamental principles:

  1. Are we spending in the right places, and potentially enough?; and
  2. Are our investments effective?

Specific questions the CFO should be thinking, and asking can take the form of:

   - What are the solutions providing and what is the risk it is mitigating?
   - Am I being overcharged?
   - Is there a more cost-effective solution?
   - What’s the ROI?
  •  

Fundamentally, where are you spending your money and are you effectively mitigating your risks? 

Once engaged on the above we have found ourselves in a number of instances where we are then afforded the opportunity to present cost-effective risk mitigation or resilience solution alternatives, rather than cutting costs by eliminating them entirely.

A strong cyber foundation is increasingly critical to brand reputation, customer trust and loyalty, operational stability, and revenue growth. Business leaders - like the CFO – can have an increased, direct effect on the success of their organisation by educating themselves and embedding cyber thinking, planning, and action into their business initiatives.

What can RedBelts do?

Subject matter expertise, delivered from a lens of impartiality, from someone with an embedded understanding of the broader business is RedBelts’s proprietary, effective approach to delivering cybersecurity strategy.

The role of cyber security is to enable the organisation's objectives and increasingly enable competitive advantage. It should be adding value to your organisation rather than hindering progress. This requires a positive cyber security culture and appropriate investment and management of cybersecurity, and the right advice.

Tangibly, we work with organisations identifying the need to prioritise simplification in their ongoing investments to enhance their cybersecurity posture. This involves: 

   - Understanding business goals and drivers. 

   - Assessing the legal and regulatory landscape.

   - Assessing the threat environment; and 

   - Assessing the effectiveness of previous investments and replacing outdated systems and/or solutions with more appropriate ones. 

  • It's crucial to regularly review past investments during budgeting and contract renewals to ensure relevance and explore opportunities for improved outcomes. With the increasing complexity of security threats, organisations often accumulate a mix of technologies. Therefore, many are adopting an outcome-driven approach that aligns investment with the organisation's cyber risk appetite, ensuring that control performance matches the allocated resources.

  •  
  • To refer back to the Chairman of Australia’s chief regulator, we invite and deliver advice to facilitate the executive to pre-emptively demonstrate to the Board they are providing advice that is relevant, simple and quantified so the board in turn can be comfortable they are operating from a position with oversight (from RedBelts) that is well-founded, and trusted. 

  •  
  • We specialise in communicating cybersecurity strategy to ensure all aspects of the business (not just the technically minded) reach a high enough understanding of cyber security that they can understand how cyber security supports their overall organisational objectives.

Image
  • Author
  • Mark L

Leave a Comment