Chief Financial Officer – the CISO’s best friend (or why it should be)

I came across an interesting article the other day (Does Your CEO Really Get Data Security?) that was raising a controversial point on the relative importance of information security functions for today’s organizations.

It starts of by making a good argument that awareness of information security risks at senior leadership levels is crucial but unfortunately it shoots past a sensible conclusion indicating that the position of the CSO might be of more valuable to organizations than the Chief Financial Officer. Besides the point that comparisons like this are not helpful at any rate, least of all for the CSO’s who often enough are still fighting for their seat at the table among the established C-roles, it also is an ill-conceived conclusion.

While the noticeably increased media attention is focusing minds on cyber risks at all levels it should not be forgotten that information security is generally not a core purpose for an organization all by itself. Most companies are in business to generate value for their stakeholders and achieve this by output maximization of their assets – not just by protecting them. Without a thorough understanding of what those critical assets are – their role in the value chain, the moving parts and fine-tuned processes – the information security function would struggle to add any real benefit.

The CSO should have a keen interest in a close relationship with the CFO to understand what to protect and its true value to the organization to be able to measure up appropriate security investment levels. Cultivating close ties to the financial officer would be a smart play at any rate. Information Security often gets away with a lenient approach to justify funding as decisions are based on a mix of ‘Fear Uncertainty and Doubt’ (FUD) as well as a lack of understanding of the complexities of cyber risk. With Information Security slowly becoming a mature function in many organizations CSO’s are expected to be at eye level with other leaders when it comes to financial intelligence. Just as it is important that senior leaders understand basic information security principles it is important that information security leaders are fluent with basic financial principles.  A point also well made by Jeff Snyder’s article over at

Great security leaders will not only be able to provide financially sound justification for investments to manage risks in their organizations, but also take a key role in advising on risky yet financially promising business endeavors; in a language their CFO understands of course, not in ‘FUD’ terms.