How do I tell my CFO what security technologies to buy?

Chief Financial Officers (CFOs) these days have a hard time balancing budgets and acquisitions, especially when it comes to security. While for a CIO or a CSO the decision to invest in security might seem like a no-brainer, CFOs have to evaluate security spending against other business costs. And security is often difficult to distinguish from IT operations if you’re not involved in either.

As security incidents involving large companies have begun affecting board members, with C-levels even stepping down following a data breach, security experts need to start helping CFOs understand security. Unlike other acquisitions, security cannot be put off until next quarter, not can it be fragmented. CFOs need to be made aware that security must be unified from the start; it allows for better contextual threat intelligence data and it’s probably less expensive in the long run to get the entire package instead of adding modules or integrating new solutions along the way.

The Difference between Data Center and Security

CFOs have a hard time distinguishing between IT operations and security, as they’re usually bundled under the same IT department umbrella. In terms of costs between the acquisition of new hardware or IaaS services and the acquisition of security technologies, the latter will often scare CFOs as they’re usually long-term and cannot be quantified.

If datacenter costs directly impact overall business growth, security costs to CFOs don’t usually translate directly to return on investment, as they provide no immediate or easily quantifiable result. To them, security only becomes evident when a breach has already occurred and the company is financially affected.

Outlining the Risks

When articulating security risks, CFOs often respond better to the business impact of those risks, instead technical details about zero-day vulnerabilities, advanced persistent threats and patch management. Using known examples of data breaches that relied on advanced malware covertly siphoning out intellectual property over the course of months or years, and applying numbers to the estimated financial impact on the business, might make the CFO more receptive.

It’s worth mentioning that, without comprehensive threat intelligence data, it would be close to impossible to identify a data breach in time or prevent it from occurring again. This would not only lead to public shaming but also reputation and financial loss.

The Unified Security Approach

The unified security approach also allows for streamlined management and fewer operational costs that usually come from maintenance teams dedicated to specific hardware or software. In that regard, it’s safe to assume that large companies spend a lot more on maintaining their current fragmented security program than a small or mid-range company that went for the unified approach.

Any cost-efficient and scalable virtualized data center needs similar-built security technologies that can seamlessly integrate with their infrastructure, otherwise integration and deployment costs risk being bigger than the acquisition price. With IT always working towards improving the data center with new services and hardware, a unified solution that can integrate with both current and future technologies can help cut costs in the long run, even if the initial purchasing price might seem a bit steep.

Security Analogies

When making a case for security spending with the CFO, use analogies and avoid technical jargon as much as possible. Focusing on implications and cost-versus-benefit ratios is also helpful as long as you throw in numbers and statistics to back up your claims. Reminding the CFO that any security issue or infrastructure downtime has a directly proportional financial outcome in dropped stocks, lost customers, or even lawsuits can sometimes help build your case.

To that end, it could be helpful to resort to football, shopping or any other analogy that fits your scenario. For example, the teams with the strongest defense usually end up winning the championship. Consequently, for IT operations to move forward and be leveraged to its maximum protection potential, they need to be protected so that they can focus on performance and efficiency instead of damage control and mitigation.

The car analogy could also be used, since everyone can relate to it. For example, regardless of how good your driving skills are, you still want a car that has airbags, seat belts and crumple. Of course, you don‘t buy a car for its security features, but for how fast it goes, it’s fuel efficiency or maintenance costs. The same applies to your datacenter. An agile, efficient and optimized datacenter may allow your business to scale quickly, but without proper security built in, the risk of “totaling” the business a security incident is extremely high.