Wall St. Journal: “CFOs Grapple With How Much Cybersecurity Spending is Enough”

June 17, 2019  Jeff B. Copeland

According to a report from The Wall Street Journal’s CFO Network Annual Meeting, CFOs Grapple With How Much Cybersecurity Spending is Enough, finance chiefs often feel out of their depth faced with demands for cybersecurity investments, particularly in an atmosphere of crisis. “Information security officers who ask for more resources have a compelling case,” The Journal notes, given WannaCry and other attacks that have “disrupted businesses at major companies around the world.”

But Judith Pinto, managing director at consulting firm Promontory Financial Group, spoke some risk-based sense to the CFO gathering, as reported by the Journal:

Companies should identify their biggest risks and spend enough to protect against them—the same processes they would use in any risk-management evaluation, Ms. Pinto said during a presentation at the CFO Network event. CFOs will know they have spent enough when they feel comfortable with the amount of risk their companies are assuming, she said. “That’s when you know you’ve spent or invested the right amount of money,” Ms. Pinto said.

We’re with Ms. Pinto: The FAIR model that powers the RiskLens platform speaks to CFOs in language they know from the rest of enterprise risk management: quantification of cyber risk in financial terms. Financial officers no longer need to listen to Fear, Uncertainty, and Doubt (FUD)  — they can reasonably expect answers to questions such as:

  • How much cyber risk—or loss exposure–do we have, in dollar terms?
  • Are we spending too much or too little?
  • Are we focusing on the things that can reduce risk the most?
  • Should we drop some initiatives (for people or software) and double down on others?
  • Are we adequately insured for cyber risk?
  • For every new dollar you are asking for, how much will you reduce risk?

For more, read our blog post:

The CFO’s Guide to Making Sense of a Cybersecurity Budget