{"id":2951,"date":"2025-04-28T06:30:00","date_gmt":"2025-04-28T06:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2951"},"modified":"2025-04-28T06:30:00","modified_gmt":"2025-04-28T06:30:00","slug":"reporting-lines-could-separating-from-it-help-cisos","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2951","title":{"rendered":"Reporting lines: Could separating from IT help CISOs?"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Reporting to the CFO instead of the CIO can help CISOs frame cybersecurity in business terms, position cybersecurity as more than a cost center, and reduce conflicts of interest between the CISO and CIO. This unlikely alliance is a way for CISOs to evolve from technical experts to strategic partners and broaden their influence.<\/p>\n

Daniel Schatz, CISO with biotechnology research firm Qiagen, found the move from reporting to the head of IT to the CFO has broadened his focus from technical controls to helping manage business risk.<\/p>\n

Within the IT function, the focus is on how they protect the environment and the organization\u2019s data. Conversations revolve around integrating into the current IT stack, potential impact on performance, and user experience. \u201cThe conversation with the CFO is around \u2018What kind of business risk are we trying to mitigate and what kind of cost are we looking at?\u2019,\u201d he says.<\/p>\n

In Schatz\u2019s case, the CFO has a good grasp of cybersecurity risk management, which helps provide a level of shared understanding. For his part, Schatz needed to level up his understanding of key finance fundamentals, such as EPS, EBIT, and OPEX\/CAPEX to engage in productive discussions. \u201cThe CISO needs to get a good understanding of the business and what the CFO and the other executives at his level really want to talk about and learn the language of those folks.\u201d<\/p>\n

Reporting to the CFO helps frame cybersecurity in terms of business risk<\/h2>\n

CFOs may be primarily concerned with the financial performance of the business, but they also play a key role in managing organizational risk. This is where CISOs can learn the tradecraft in translating technical measures into business risk management<\/a>.<\/p>\n

Reporting to the CFO has helped Stephen Bennett, group CISO at Dominos, focus more on business impact and reduce the use of technical jargon to improve discussions with people outside of technical teams. \u201cIt\u2019s only when you report to somebody who\u2019s not in technology that you realize how much you talk in jargon,\u201d says Bennett.<\/p>\n

There are different calculations of risk, cost to the business, and protective measures. In IT terms, the chance of a ransomware attack revolves around technical protection and the prevalence of attacks across the board. Bennett has found that discussions with CIOs focus on the high chance of a ransomware attack using a technical frame of reference. \u201cHow I try to convey risk to the CFO is the same way I have to convey risk to the board. If you report to a CIO or CTO, you can use buzzwords and acronyms, but with a CFO, you have no leeway,\u201d he tells CSO.<\/p>\n

News stories about ransomware underscore the prevalence of these attacks, the ever-present risk of an attack on the organization, and how detrimental it would be in terms of data loss and downtime.\u00a0<\/p>\n

A CFO is more likely to ask how many incidents the organization has had in the last six years that have had an impact, says Bennett. The answer might be none so far, but an attack could happen any moment, as the news stories demonstrate. The risk must be quantified based on potential damage to the organization, rather than historical attack data.<\/p>\n

Bennett has found the CFO has been a valuable resource for personal and career development, helping to improve his communications. It facilitated a shift toward strategic risk discussions, particularly when presenting to the board where the aim is to show the direct business impact of security investments. \u201cReporting to the CFO\u2019s challenged everything that I\u2019ve believed in and challenged the way I\u2019ve communicated throughout most of my career,\u201d he tells CSO.<\/p>\n

It demonstrates the importance of connecting cybersecurity initiatives to business outcomes and how to elevate the CISO\u2019s role from technical gatekeeper to business enabler.<\/p>\n

Reporting to the CFO can improve discussions about funding<\/h2>\n

There\u2019s art and science to secure funding. Number matters in getting budget approval, and cybersecurity is at pains to be seen as more than a cost center. However, two-thirds (66%) of CFOs don\u2019t fully understand the CISO role and have difficulty seeing the tangible return on cyber investment, according to an FTI consulting survey<\/a>. It\u2019s something many CISOs know all too well.<\/p>\n

\u201cA CFO comes through the finance ranks without a lot of exposure to IT and I can see how they\u2019re incentivized to hit targets and forecasts, rather than thinking: if I spend another two million on cyber risk mitigation, I may save 20 million in three years\u2019 time because an incident was prevented,\u201d says Schat.<\/p>\n

Budgeting and forecasting cycles can be a mystery to CISOs, who may engage with the CFO infrequently, and interactions are mostly transactional around budget sign-off on cybersecurity initiatives, according to Gartner.<\/p>\n

Without more opportunities to interact, the disconnect on objectives and communication gaps between CISOs and CFOs can exacerbate the problem. \u201cIf there\u2019s no common understanding of what you\u2019re trying to achieve or prevent, technical security people may not understand that what they\u2019re saying isn\u2019t heard by the CFO in a way they can make sense of,\u201d says Schatz.<\/p>\n

CISOs who report to the CFO have time to build a common language that can overcome some of the obvious gaps between technical and finance camps that goes a long way to justify and secure funding. This includes explaining cybersecurity is part of the organization\u2019s insurance against attacks, potential fines and revenue loss if a vulnerability is exploited, and why cybersecurity investments protect the company\u2019s long-term financial stability.<\/p>\n

\u201cTalking about security, you\u2019re talking about the future and trying to have conversations about why finance needs to up the insurance policy by giving security more money because otherwise things could go horribly wrong,\u201d Bennett says.<\/p>\n

Reporting to the CFO reduces CIO-CISO conflicts of interest<\/h2>\n

Where IT is primarily focused on technology performance and project timelines, security can be seen as a hindrance, leading to conflicts of interest between CIO and CISO<\/a> responsibilities.<\/p>\n

\u201cIf you look at a CIO\u2019s remit, generally it\u2019s their role to provide performing technology systems that are on budget, preferably ahead of time, whereas from a security perspective, we might hinder all of those factors,\u201d says Bennett.<\/p>\n

It\u2019s not uncommon for CISOs to find security seen as a barrier, where the benefits aren\u2019t always obvious, and are actually at odds with the metrics that drive the CIO. \u201cSecurity might slow down a project, introduce a layer of complexity that we need from a security perspective, but it doesn\u2019t obviously help the customer,\u201d says Bennett.<\/p>\n

Reporting to CFOs can relieve potential conflicts of interest. It can allow CISOs to broaden their involvement across all areas of the organization, beyond input in technology, because security and managing risk is a whole-of-business mission.<\/p>\n

\u201cIt\u2019s why security should not be seen as a technology function, but as a business function that spans across various areas,\u201d says Bennett.<\/p>\n

In Schatz\u2019s case, his change in reporting structure to the CFO also elevated the CISO role to become a peer with the CIO, who similarly reports to the CFO. \u201cIt depends on the people involved, but I have a very good relationship with the head of IT, who\u2019s not a security person, but he has very good IT skills and is very open for guidance on cybersecurity,\u201d he says.<\/p>\n

Working productively together, he\u2019s able to provide guidance on cybersecurity and they have regular conversations about priorities and resources, with shared rather than any competing objectives.<\/p>\n

\u201cWe have very regular conversations about what are the priorities, how should we go about this and what kind of resources are more appropriate in which area,\u201d he says.<\/p>\n

The change in reporting structure also brought added responsibilities to his remit, Schatz acquired organizational risk management in addition to cyber risk. It requires a holistic understanding of the business and means managing risk everywhere across the organization.<\/p>\n

\u201cWhere the CISO is very much focused on cybersecurity, now looking at enterprise risk management, it definitely requires a better understanding of the core business purpose and what we\u2019re offering our customers,\u201d he says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Reporting to the CFO instead of the CIO can help CISOs frame cybersecurity in business terms, position cybersecurity as more than a cost center, and reduce conflicts of interest between the CISO and CIO. This unlikely alliance is a way for CISOs to evolve from technical experts to strategic partners and broaden their influence. Daniel […]<\/p>\n","protected":false},"author":0,"featured_media":2945,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2951","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2951"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2951"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2951\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2945"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2951"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2951"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2951"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}