Paul Proctor, distinguished VP analyst at Gartner, wants organizations to know they’re thinking about their cybersecurity investments incorrectly. Rather than focusing on factors beyond their control, he said, companies should set measurable levels of risk appetite. For instance, they might decide what they consider an acceptable window of time for patching a network vulnerability.
Finance leaders must also consider all the costs that go into cybersecurity investments, which include factors like including “business friction” like the loss of productivity when employees must repeatedly authenticate themselves on their computers, Proctor said.
CFO Brew sat down with Proctor at the recent Gartner CFO & Finance Executive Conference to get his thoughts on how CFOs and other leaders can improve the way they and their boards discuss cybersecurity.
This interview has been edited for length and clarity.
What areas of cybersecurity are CFOs concerning themselves with?
I would characterize it as the wrong things. Here’s the problem with any senior non-IT executive: They treat security like magic and security people like wizards who cast spells to protect the organization, and when something goes wrong, [they] fire the wizards. This is the way it’s always been done.
[When] you look at the things that they’ve got to measure security—like maturity and spending benchmarks and frameworks, which are a whole bunch of checkboxes—the fundamental issue is that they’re spending money to buy tools, and tools don’t actually equal protection. The bottom line is they’re not having productive conversations to guide priorities and investments in cybersecurity.
How can CFOs have more productive conversations?
We have to change the language of security at the bottom so that it can…actually end up aligned to priorities and investments that support the business. The way we’ve changed the language [when consulting clients] is it’s about delivered protection levels. You make an investment, it delivers a protection level.
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
[A] simple example of this is the speed with which you patch. The entire value proposition of patching, every single dollar you spend on it, is to reduce the amount of time that a vulnerability is available for exploitation. That’s it. [When a] vulnerability pops up, every second that that sits there waiting to get hacked is a problem. So the longer we take, the more trouble we’re in. So in the end, the protection level outcome here is the speed with which we patch.
What would you say is the best way to talk with boards and other C-suite leaders about cybersecurity?
I’ve been doing security for 40 years and I’ve seen all the machinations, and one of the more popular ones is, “The business wants to see things in dollars and cents. Everything should be reduced down to a monetary value.” Where we are today is getting good at running Monte Carlo simulations that tell us that that’s a $50 million risk, and then if you give me $3 million, I can get it down to a $25 million risk. But the flaw of all this is that we are using probabilistic estimates of things we don’t control—which is, how often will we get hacked, and will it hurt? The risk quantification part is, you don't control whether you get hacked; you don't control how bad it's going to be. What we’re doing is we’re changing the perspective now to things you absolutely do control, like how fast you patch your systems.