Last Updated on March 16, 2023
When IT and cybersecurity executives sit across the table from business executives, the two groups think about organizational issues differently. This frequently leads to problems and disconnects when business-critical expenditures or initiatives are under discussion—such as upgrading your environment to comply with new mandates like the Cybersecurity Maturity Model Certification (CMMC) Level 3 or the California Privacy Rights Act (CPRA).
How can a technology person wrap his or her mind around what the CFO is thinking so that key ideas are communicated clearly?
To get much-needed advice on bridging the “IT/C-Suite divide,” best-selling author and business coach John Sheridan was our guest on a recent episode of The Virtual CISO Podcast. Hosting the show was John Verry, Pivot Point Security CISO and Managing Partner.
“This may come as unwelcome news to some of your audience,” John Sheridan remarks. “But when the CEO or CFO is looking at any kind of spend, any kind of investment, the first question probably is: ‘How does this help me find new customers or keep my existing customers?’ That’s about it.”
“They’re probably also thinking that anything to do with the IT world is an expense, a necessary evil, something that is not revenue-generating and therefore doesn’t really deserve a heck of a lot of their time,” adds John. “Yes, some will likely be—particularly given whatever experiences they might’ve had—more sensitive to the idea of risk management. Of not letting bad things happen. But first and foremost, I think they’re looking at whatever spend it is and asking, ‘What am I getting back here? And do I really need to invest in this?’”
John continues: “The drive is to cut expense, not spend more. So, what’s the justification? And I think particularly CFOs are trained to think in dollars and cents, not necessarily in more abstract terms like risk or quantifying those difficult-to-quantify things.
“Dollars and cents are easy to analyze, easy to understand, easy to argue about. But it’s the things that are difficult to quantify that—because they’re so tough to quantify—don’t get discussed. Don’t get considered with enough weight. Because if I can’t put a number on it and all I think about is in terms of numbers, it’s the classic, ‘If all I have is a hammer everything looks like a nail’ problem,” John qualifies.
“I think that’s really what we see,” notes John Verry. “In a perfect world, we’d have actuarial tables or exact calculations: ‘If you spend this $100,000 on ISO 27001, you’re 12% less likely to be breached, which will save you an average of $1.2 million and thus yields a $144,000 ROI. And we’ll gain three more customers with an average lifetime value of $X.’”
“But… that doesn’t exist,” laughs John. “So is it really just going in with an idea of ROI? If I was walking into your office and pitching it, should I just try to calculate an ROI? Or give you the data so you can calculate an ROI? How should I prepare?”
“To the extent that you can quantify anything, yes, you should quantify it,” John Sheridan advises. “If that means going to other parts of the business, like going into your VP of Sales or VP of Marketing and saying, ‘Hey, if I came to you and said I just got off the phone with our biggest customer and they’re a little ticked because someone used our login to their system and made off with a million of their customer records, what would you do? What would the consequences be?’ And after they got done shaking, they’d imagine the lost sales…”
“Beyond that, for things that can’t be quantified, I think you can ask some great questions, like:
‘Mr. CFO, what kind of risk are you comfortable with? If I came in here and told you that we had a breach, what are the consequences? Are you going to go to the boss? Am I? What’s the impact of that on the organization?’” suggests John. “Because I think it can go beyond, ‘Hey what are the odds of this happening?’ It’s if it does happen, what is the magnitude of the consequences? Is this a showstopper?”
“That’s an interesting idea about corralling other people to support your spend,” John Verry observes. “Like the sales guy who is hearing from one out of four customers, ‘Hey do you have an ISO 27001 certification?’ Or, ‘Tell me about your security story.’ Or the fact that we’re leaning out instead of leaning in. Or we’re not answering those questions. Or the marketing person who’s saying she researched the market and we’d be the first company in our market to be able to say we’re doing this, which would give us a significant value proposition that other people don’t have.”
“It could come in the opposite way, too,” John Sheridan replies. “Like, ‘Hey, Tom in Sales tells me that customers have been asking about this. We cannot be late to this party. We cannot be finding out too late that this is a table stakes requirement for getting an RFP,’ or something like that.”
“I think the bigger thing you bring up is also quite important,” validates John Sheridan. “There is more than one player involved in these decisions. So an IT professional has to have some organizational savvy. They have to realize that political support is often a key to making decisions of this magnitude. Getting Marketing onboard; getting Sales onboard; getting Production onboard. Understanding the competitive environment. It’s not just one meeting with the CFO. There’s a lot more going on behind the scenes.”
If you’re a technology executive who wants to be more effective in C-Suite conversations, be sure to catch this podcast with author and business coach John Sheridan.
A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.