CFOs are often perceived as gatekeepers to the company’s cash coffers. With different functional leaders vying for project investments, it is true that the role of the CFO is to help prioritize the company’s spend, based on the business growth plan and trajectory.
I’ve been a CFO in the Cybersecurity industry for more than 7 years. During this time, I’ve seen the industry invest millions in defense controls, yet adversaries are still breaking through. I joined AttackIQ because I believe in the company’s ability to help cybersecurity teams be strategic and proactive with their cybersecurity programs. But how do you convince your CFO that the company needs another cybersecurity product, and in this case, a platform like AttackIQ? My advice: think like a CFO. Here are three ways to pitch your financial leader on why you need an automated security control validation platform to help keep adversaries at bay:
1. Adopt an “ROI First” mindset.
Manual control validation methods, such as penetration testing and red teaming, have long been the go-to approaches to security control validation. Manual testing is often done quarterly, semi-annually, or on an as-needed basis, which makes it appear to CFOs as a limited cost item.
In practice, however, manual testing can be expensive and inefficient. Pen testers are typically external consultants, who charge a substantial premium for their hacking expertise. Due to the limited nature of the engagement, pen testers evaluate only a small segment of the network at a time, requiring multiple engagements or multiple pen testers who are not necessarily aligned in their testing or reporting methods. Once the pen testers have delivered their reports, your in-house team is left to figure out how to remediate the security gaps. Even if they implement the fixes, your organization won’t know if it’s secure until the next pen testing engagement—or the next breach.
In contrast, automated security control testing solves both cost and inefficiency challenges by providing continuous testing across the entire network. While you don’t need to get too technical, it is important to explain that the AttackIQ platform is not another security control. It is a system that constantly validates that your firewall, DLP, EDR, SIEM, etc. are actually doing what they purport to do. Limited and sporadic testing in an isolated proof-of-concept environment can’t match the confidence you get from a platform that allows your team to think like the adversary and be both strategic and proactive in your cybersecurity program.
It’s clear the methodology is superior, but how do you show the business value of AttackIQ? IDC interviewed 5 of our enterprise customers to calculate the benefits. Overall, IDC found that study participants achieved significant business value by:
- Improving the overall efficiency of SOC and red security teams and helping organizations break down counterproductive silos between red and blue teams
- Fostering better staff collaboration, thereby improving security postures including threat identification and remediation, while reducing the impact of breaches when they occurred
- Significantly reducing the cost of security breaches while maintaining leaner security staff profiles
- Providing ongoing continuing education to help security teams better anticipate the changing tactics used by attackers
Here’s how this looks by the numbers:
Plus, the ATC tool delivers your results as part of a five-page executive-level summary report that you can hand to your CFO.
2. Explain the mission-criticality of the investment.
The message to your CFO should be direct: frequent testing is mission critical, because it reduces the time that a breach goes undetected. The faster you can find and solve a gap, the less likely hackers will be able to get into your systems, access your customer data, cause financial pain, and potentially ruin your brand reputation. Frequent testing accelerates breach detection, which directly affects the potential cost of the breach to the organization. IBM has found that companies able to detect and contain a breach in under 200 days spent on average $1.1 million less than those who took longer. Headlines today are rife with examples. In the case of SolarWinds, hacking exploits went undetected for nine months. In the Colonial Pipeline attack, the company paid $4M+, but was able to recoup $2M with the help of the US Government. JBS paid $11M in response to a cyberattack that led to the shutdown of its entire US beef processing operation. Adopting a threat-informed defense is mission critical to being prepared for attacks. AttackIQ embodies the old adage that “an ounce of prevention is worth a pound of cure.”
3. Show how you will improve efficiency and productivity.
It has been painfully apparent for the past decade that security talent is hard to find. According to a 2020 survey by (ISC)2, there are nearly 3.12 million unfilled cybersecurity positions worldwide. Entry-level applicants are available, but the cost and time to train them to proficiency can be formidable. Existing staff are stretched to capacity, leading to increasing turnover.
Systems such as the AttackIQ Security Optimization Platform augment human activity in threat hunting, red teaming, compliance auditing, and more. By automating individual tasks as well as handoffs between security, development, and engineering teams, such platforms can increase productivity by as much as 100%. They can also be used for security analyst training and certification. A corollary benefit of this is increased employee morale and retention, which drives down recruitment and training costs.
In the end, the pitch to the CFO is fairly straightforward: Talk numbers. Show how ROI will be measured. Share the impact of the investment. And utilize the tools at your disposal to help make the case. Chances are your CFO already fully realizes the criticality of cybersecurity investment; your job is to help your leadership team understand that an investment specifically in threat-informed defense founded on proactive control validation is the best choice for protecting the business.