How to Help Your CFO Take Out Cost While Optimizing Your Cybersecurity Strategy

March 18, 2020  Nicola (Nick) Sanna

The coronavirus crisis has suddenly plunged us into a world where most companies have to quickly adapt to ensure the health and well-being of their employees and survive in the face of reduced orders and production.

You might be asked by your CFO to think about creative ways to save money and help the company conserve its precious cash while minimizing the risk associated with remote work. This might sound like an unsolvable problem for many CISOs and a tough discussion for you to have with your CFO, but it doesn’t have to be that way.

Consider using rapid risk assessments to:

  1. Identify what tools are no longer effective in reducing risk and that can be eliminated
  2. Understand what extra security measures should be put in place to support a remote workforce
  3. Build a business case for specific cybersecurity initiatives that become more important as the transition to online service delivery accelerates

Nick Sanna is Chief Executive Officer of RiskLens.

Ditch what doesn’t work (and save money)

This happens to many cybersecurity programs. As new security threats emerge, we swiftly implement new solutions but the same intensity does not go into evaluating the effectiveness of those solutions over time. And they pile up, and so goes the cost.

In that pile, may lie several opportunities for cost take-out. Conducting cost-benefit analyses can help uncover those opportunities, where the possible risk reduction does not justify the magnitude of that investment.

The current crisis might force you to look harder at the ROI of every initiative and help conserve cash, but why not make it a systematic process and improve the cost-effectiveness of your program over time? We know of some CISOs who made it an annual objective for their cyber risk management teams to uncover one or two expensive tools that could be safely eliminated.

Contact Us to learn more about cost take-out analyses

Securely support a remote workforce

With work-from-home (WFH) policies entering into effect due to the coronavirus crisis, many CISOs are being asked to support a remote workforce. We have seen two themes suddenly emerge:

  • The first one is related to leveraging Virtual Private Networks (VPN) to securely send and receive data across public networks. With more employees working from home, the following questions arise: do all of them need VPN access? What is the risk associated with not using VPN? Is that an option for part of the workforce?
  • The second one is the sudden increase in phishing attacks, as cybercriminals feel that they can better impersonate remote working colleagues or COVID-19 response officials and engage in fraudulent activities.

Assessing the probable loss exposure related to a WFH policy and measuring the effectiveness of various controls in reducing the associated risk, will help you answer questions on how best to address these situations. Our Professional Services team has conducted many such assessments using the RiskLens platform that benefitted our customers, allowing them to make well-informed, cost-effective decisions to securely support their remote workforce.

To help companies adapt to the crisis, we are now offering for a 30-day period to conduct such risk assessments for companies at no cost and to waive the requirement for the beneficiaries of those WFH assessments to pay for the use of the RiskLens software.

Contact Us to get a free WFH risk assessment

Justify cybersecurity projects to your CFO

The uncertain economic outlook for many companies led many CFOs to tighten the criteria for approving new investments, with the goal of minimizing expenses and conserving cash throughout the crisis. Justifying cybersecurity projects gets harder, as only projects that are tied to a clear and proven business case get approved.

Speaking in terms of addressing threats and vulnerabilities is often no longer sufficient. What the CFO needs to hear is whether doing or not doing a certain project will have an impact on the bottom line, and by how much. Quantitative risk assessments that articulate risk in financial terms help CISOs speak the language of the CFO and demonstrate how effective a certain investment can be in terms of risk reduction. They can then decide whether the current risk can be accepted by the company, and if not, what the best risk mitigation options are, at what cost.

Such cost-benefit analyses change the narrative related to the justification of cybersecurity projects, especially for the more expensive ones, and allow the CFO to consider options that the CISO provides from the business perspective, versus trying to understand them based on their technical merits. This ensures that the value provided by these projects is well understood by the CFO and by the other business executives and elevates the CISO's profile as a business executive who happens to be in charge of cybersecurity.

Schedule a demo of our cost-benefit analyses