Reporting lines: Could separating from IT help CISOs?

Reporting to the CFO instead of the CIO can help CISOs frame cybersecurity in business terms, position cybersecurity as more than a cost center, and reduce conflicts of interest between the CISO and CIO. This unlikely alliance is a way for CISOs to evolve from technical experts to strategic partners and broaden their influence.

Daniel Schatz, CISO with biotechnology research firm Qiagen, found the move from reporting to the head of IT to the CFO has broadened his focus from technical controls to helping manage business risk.

Within the IT function, the focus is on how they protect the environment and the organization’s data. Conversations revolve around integrating into the current IT stack, potential impact on performance, and user experience. “The conversation with the CFO is around ‘What kind of business risk are we trying to mitigate and what kind of cost are we looking at?’,” he says.

In Schatz’s case, the CFO has a good grasp of cybersecurity risk management, which helps provide a level of shared understanding. For his part, Schatz needed to level up his understanding of key finance fundamentals, such as EPS, EBIT, and OPEX/CAPEX to engage in productive discussions. “The CISO needs to get a good understanding of the business and what the CFO and the other executives at his level really want to talk about and learn the language of those folks.”

Reporting to the CFO helps frame cybersecurity in terms of business risk

CFOs may be primarily concerned with the financial performance of the business, but they also play a key role in managing organizational risk. This is where CISOs can learn the tradecraft in translating technical measures into business risk management.

Reporting to the CFO has helped Stephen Bennett, group CISO at Dominos, focus more on business impact and reduce the use of technical jargon to improve discussions with people outside of technical teams. “It’s only when you report to somebody who’s not in technology that you realize how much you talk in jargon,” says Bennett.

There are different calculations of risk, cost to the business, and protective measures. In IT terms, the chance of a ransomware attack revolves around technical protection and the prevalence of attacks across the board. Bennett has found that discussions with CIOs focus on the high chance of a ransomware attack using a technical frame of reference. “How I try to convey risk to the CFO is the same way I have to convey risk to the board. If you report to a CIO or CTO, you can use buzzwords and acronyms, but with a CFO, you have no leeway,” he tells CSO.

News stories about ransomware underscore the prevalence of these attacks, the ever-present risk of an attack on the organization, and how detrimental it would be in terms of data loss and downtime. 

A CFO is more likely to ask how many incidents the organization has had in the last six years that have had an impact, says Bennett. The answer might be none so far, but an attack could happen any moment, as the news stories demonstrate. The risk must be quantified based on potential damage to the organization, rather than historical attack data.

Bennett has found the CFO has been a valuable resource for personal and career development, helping to improve his communications. It facilitated a shift toward strategic risk discussions, particularly when presenting to the board where the aim is to show the direct business impact of security investments. “Reporting to the CFO’s challenged everything that I’ve believed in and challenged the way I’ve communicated throughout most of my career,” he tells CSO.

It demonstrates the importance of connecting cybersecurity initiatives to business outcomes and how to elevate the CISO’s role from technical gatekeeper to business enabler.

Reporting to the CFO can improve discussions about funding

There’s art and science to secure funding. Number matters in getting budget approval, and cybersecurity is at pains to be seen as more than a cost center. However, two-thirds (66%) of CFOs don’t fully understand the CISO role and have difficulty seeing the tangible return on cyber investment, according to an FTI consulting survey. It’s something many CISOs know all too well.

“A CFO comes through the finance ranks without a lot of exposure to IT and I can see how they’re incentivized to hit targets and forecasts, rather than thinking: if I spend another two million on cyber risk mitigation, I may save 20 million in three years’ time because an incident was prevented,” says Schat.

Budgeting and forecasting cycles can be a mystery to CISOs, who may engage with the CFO infrequently, and interactions are mostly transactional around budget sign-off on cybersecurity initiatives, according to Gartner.

Without more opportunities to interact, the disconnect on objectives and communication gaps between CISOs and CFOs can exacerbate the problem. “If there’s no common understanding of what you’re trying to achieve or prevent, technical security people may not understand that what they’re saying isn’t heard by the CFO in a way they can make sense of,” says Schatz.

CISOs who report to the CFO have time to build a common language that can overcome some of the obvious gaps between technical and finance camps that goes a long way to justify and secure funding. This includes explaining cybersecurity is part of the organization’s insurance against attacks, potential fines and revenue loss if a vulnerability is exploited, and why cybersecurity investments protect the company’s long-term financial stability.

“Talking about security, you’re talking about the future and trying to have conversations about why finance needs to up the insurance policy by giving security more money because otherwise things could go horribly wrong,” Bennett says.

Reporting to the CFO reduces CIO-CISO conflicts of interest

Where IT is primarily focused on technology performance and project timelines, security can be seen as a hindrance, leading to conflicts of interest between CIO and CISO responsibilities.

“If you look at a CIO’s remit, generally it’s their role to provide performing technology systems that are on budget, preferably ahead of time, whereas from a security perspective, we might hinder all of those factors,” says Bennett.

It’s not uncommon for CISOs to find security seen as a barrier, where the benefits aren’t always obvious, and are actually at odds with the metrics that drive the CIO. “Security might slow down a project, introduce a layer of complexity that we need from a security perspective, but it doesn’t obviously help the customer,” says Bennett.

Reporting to CFOs can relieve potential conflicts of interest. It can allow CISOs to broaden their involvement across all areas of the organization, beyond input in technology, because security and managing risk is a whole-of-business mission.

“It’s why security should not be seen as a technology function, but as a business function that spans across various areas,” says Bennett.

In Schatz’s case, his change in reporting structure to the CFO also elevated the CISO role to become a peer with the CIO, who similarly reports to the CFO. “It depends on the people involved, but I have a very good relationship with the head of IT, who’s not a security person, but he has very good IT skills and is very open for guidance on cybersecurity,” he says.

Working productively together, he’s able to provide guidance on cybersecurity and they have regular conversations about priorities and resources, with shared rather than any competing objectives.

“We have very regular conversations about what are the priorities, how should we go about this and what kind of resources are more appropriate in which area,” he says.

The change in reporting structure also brought added responsibilities to his remit, Schatz acquired organizational risk management in addition to cyber risk. It requires a holistic understanding of the business and means managing risk everywhere across the organization.

“Where the CISO is very much focused on cybersecurity, now looking at enterprise risk management, it definitely requires a better understanding of the core business purpose and what we’re offering our customers,” he says.