As organizations continue to prioritize security, CFOs are getting more involved with information security spend and even certain cyber security reporting frameworks.
Here are our top tips for CFOs as they become more involved in different areas of cyber security:
Sales Process and Customer Requests
– Account for security planning and remediation with every sales opportunity. Don’t just consider the capital cost to buying a solution or fixing a specific problem but consider the ongoing operational costs to manage that tool or process over time.
– If you’re asked to incorporate a type of firewall or other security widgets, be sure to consider the recurring licensing costs, as well as how it implements into your overall technology environment.
– Centralize all the findings and remediation commitments that your organization makes in association with sales activities. This will help your organization avoid buying duplicate tools and reduce the amount you must spend on remediation efforts.
– Integrate someone with both a security and business skill set early in the sales process. This person will understand the impact that new technologies and other security requests will have on your overall program.
Audits and Certifications
– If you’re preparing for SOC, build efficient and thoughtful processes during the readiness stage. You will not only comply with requirements, but your processes will be operationally friendly once they’re implemented.
– Utilize effective project management for all your security projects. Their job is to make sure everything goes according to the scope, schedule, and budget you have set out.
– Be mindful of what goes into a SOC report, even if you get the certification. Customers and partners are starting to read these audits very closely, and there are lots of ways to say the same thing.
– Be sure to balance operational efficiency with compliance, because your auditors won’t. Compliance doesn’t have to come at the cost of successfully performing your processes.
Cyber Security Development and Operational Costs
– Perform a best practice assessment to identify problems within your security program early. The scope of this assessment should include your entire organization and use a best practice framework such as NIST 800-53 or ISO 27001 as a benchmark.
– The people auditing your security program should focus on how to fix the problem, not just identifying it. The goal isn’t to audit your security program, but to understand the current state and how to fix it.
– If you’re outsourcing the management of your security program to another company, consider having them build and remediate specific processes, since it will be in their best interests to make sure they’re efficient.
– Use the measurement of your current state to set up a roadmap for a multi-year remediation plan that includes both implementation costs and the ongoing operational and resource costs for your security program.
– Use a subcontractor to manage incidents. If you have an incident retainer, make sure that they manage the entire incident, including other vendors that you might need to engage.
– Establish incident retainers with negotiated hourly rates before an incident occurs. This will save you a great deal of money in the long run.
– Understand how to engage your cyber insurer early in the event of a breach. Like any other insurance company, they’ll have steps to engaging them that can make the difference between getting covered or not.
– Make sure you have a communication process in place and ready to go before an incident occurs. Many attacks like ransomware set time limits for businesses to make a decision before they do something like delete your data.
– Accurately report the cost of security to your boards and make sure to report to them early.
– Save on security costs through outsourcing. In many situations, this will be the only way you’ll be able to build the security program you need, since service level agreements can protect the quality of what you build.