Let’s say the cybersecurity manager is trying to communicate the presence of a business interruption risk. If the data connectivity to the data centre goes down, it will have certain impacts—the customers will be angry, and the company will have to spend a lot of money on recovery. If the cybersecurity manager can demonstrate this will cost $200,000 in all, it makes sense to invest $100,000 this year for the second communications line to make sure everything works in case of a blackout. A CFO will understand that logic. The cybersecurity manager needs to make the proposition clear, telling the CFO, “If you approve the budget, this will be your outcome, and if you don’t, this could be your outcome.” Because the CFO thinks in numbers, with this simple example, the cybersecurity manager can demonstrate a clear return on investment.
Another way to frame the importance of security measures is that they protect the company’s investment. If the CFO is considering how many people to enlist in cybersecurity to make sure investments to date are protected, how will he decide? The cybersecurity manager can convert the numbers for them so they understand the risk. Say the company is worth $1 billion; maybe spending $1 million or even $100 million would be reasonable. The cybersecurity manager’s job is to show the CFO, “If you put this much money in, we can be sure that we will wake up tomorrow to the same company and the same assets.” Asset protection language usually works for CFOs, owners, and boards; their basic rule is: don’t lose money. Security is not just about loss prevention; it’s a way to preserve assets. Owners will be interested in this.
The risks are real, but too many organisations ignore them. We once worked with a government organisation that had a financial process to pay millions in tax revenue back to the states a few times a year, kind of like a tax refund. They had known all along that there was no authentication between the systems that executed these huge dollar transactions. In this case, it was possible to change the account numbers of senders and recipients in the payment system without authorisation, so an insider could have signed in, changed the recipient’s account number on a 100-million-dollar transaction, and gotten away with it. There were serious risks that people on the inside could collude to move the money somewhere else—into a dark offshore account.
The government organisation was aware of the risks. They acknowledged the risk, and they talked to the cybersecurity manager, but they didn’t do anything about it. Billions of dollars in transactions were at risk. It’s baffling to think these kinds of risks remain on the table with potentially huge implications, and a single individual, like a CFO or a director, can just accept that risk as residual and be okay with it.
Companies, and people, don’t always act rationally, and that’s as true of CEOs, CFOs, CIOs, as everyone else. Every cybersecurity manager will learn this lesson over time. Risk acceptance will always stay with senior management. Knowing that, the cybersecurity manager will be able to sleep comfortably.