EARNING THE BUDGET: A CISO’S GUIDE TO BUSINESS ALIGNMENT

In this first installment of the "CISOs How to" we will look at an age-old question. How do you align your security program to your business? How many times have you heard the advice, "speak the language of the business", but how often has that advice included any guidance on how to do that? This article is going to explore that very question. I teamed up with a CPA and former CFO to get to the heart of cybersecurity financial alignment.

INTRODUCTION

In today’s business world, cybersecurity is not just the responsibility of the Information?Technology (IT) function, but instead, a mission-critical business risk that demands the attention?of executives and those charged with governance (e.g., Board of Directors). Most often, it falls to?the Chief Information Security Officer (CISO) to lead the cybersecurity response across the?organization. When CISOs “speak the language of business” and “ensure the alignment of the cyber?security program to the broader business objectives and strategy,” they increase their odds of?successfully obtaining the resources needed across the organization and elevate their profile in?the eyes of their fellow executives. This guide is intended to help CISOs elevate their profiles and business savviness by sharing best practices to achieve cybersecurity/business alignment and provide an overview of common financial metrics used in the language of business.

THE LANGUAGE OF BUSINESS

Sticking with the language analogy, consider the fourprimary “languages” to understand – accounting (historicalfinancial data), finance (predictive data based on futureassumptions), economics (external data regarding thegeneral economy at macro and micro levels), and risk (likelyloss exposure). Even though there are other critical areasin business such as sales, marketing, human resources, and operations, the fundamental principles and vocabulary of these four languages are useful guides to understand the information context used in organizational decision-making processes.

STARTING POINT: UNDERSTAND INDUSTRY, REVENUE, AND COST DRIVERS

Commercial organizations that employ a CISO are involved in an exchange to produce a product and/or service to ultimately meet the needs of consumers. A CISO who demonstrates a strong understanding of what is provided to generate cash inflows and what resources are consumed in terms of cash outflows can claim with conviction that they understand the business operating model. Since industries vary, it is critical to understand the industry and related operating model, including whether a centralized and standardized approach is adopted or whether the organization operates under a decentralized and nonstandardized model where business units may compete for resources and market share.

THE LANGUAGE OF ACCOUNTING

Once the operating model is understood, the next step is to gain an understanding of the accounting language. The accounting language is focused on historical financial information presented in accordance with Generally Accepted Accounting Principles (GAAP). There are three main financial statements that a CISO should be familiar with:

• The Balance Sheet: The balance sheet provides a snapshot of a company’s financial position at a specific point in time, showing its assets, liabilities, and shareholders’ equity.
• The Income Statement: The income statement shows a company’s revenues and expenses over a specific period of time, providing insight into its accounting profitability measures.
• The Cash Flow Statement: The cash flow statement shows the inflows and outflows of cash for a specific period, giving an idea of the company’s liquidity.

The financial statements are presented on a going concern basis which assumes the organization will stay in business. However, there are times when the organization may be heading for bankruptcy due to not having enough cash to pay its bills or lenders. In those cases, the notes to the financial statements will describe the challenges the company has and its plans to secure more liquidity.

"The fundamental principles and

vocabulary of these four languages

[accounting, finance, economics, and

risk] are useful guides to understand

the information context used in

organizational decision-making

processes."

Financial Statement Trends to Watch for CISOs

The Balance Sheet

1. Working Capital (Current Assets – Current Liabilities): Is working capital increasing or decreasing?
2. Capital Structure: Is debt increasing or decreasing and when is it due for repayment (i.e., current vs. long-term classification)?

The Income Statement

1. Top-Line Revenue Growth: Is there an increase in revenue period over period and what are the drivers of this trend (e.g., new customers, higher prices, acquisition of another firm, etc.)?
2. Net Income: Is there an increase or decrease period over period and what are the drivers of this trend (e.g., sales growing faster than expenses to result in higher net income; interest expense growing faster than revenue because debt is being used to finance growth via acquisition, etc.)?

The Cash Flow Statement

1. Cash Balance Changes: What category (i.e., operating, investing, financing) is generating or using the most cash?
2. Is cash from operating activities increasing or decreasing?

In seeing these trends, they often serve as a catalyst for further discussion and insights from the folks in the finance group. This understanding can help a CISO align their security program by understanding the financial goals and priorities of the organization. For example, if the focus is on increasing revenue, the CISO may prioritize security measures that support business development initiatives. If the focus I on reducing expenses, the CISO may prioritize security measures that help streamline and automate processes by driving toward a centralized and standardized control model. Additionally, understanding the cash flow statement can help the CISO identify areas where security investments can have a positive impact on the company’s liquidity. The accounting language and GAAP financial statements serve as a means of establishing a common and consistent mechanism used to report financial performance, which includes tracking revenues, expenses, capital, and other items. It also allows companies to track and communicate these results to a wide range of interested parties.

THE LANGUAGE OF FINANCE

After you understand the basic accounting principles it’s important to understand the language of finance. Finance is used to predict what might happen in the future when organizations estimate future outcomes that involve projecting revenues, expenditures, and associated cash flows. Oftentimes, organizations will set internal target rates of return, and projects that do not meet such rates are not approved. As organizations mature, this type of financial discipline becomes a common practice and is used to evaluate capital projects. When it comes to the language of finance, it is important to understand:

• Value assessments
• Future projections
• Return rates
• Capital allocation

For managers to make informed decisions under uncertainty, it is crucial to have a solid understanding of finance as well as accounting.

THE LANGUAGE OF ECONOMICS

Unlike accounting and finance, which mostly focus on the internal workings of an organization, economics looks at the external factors that affect the organization, such as macro and micro-markets and regulatory expectations. Economics informs market pricing that reacts to external factors such as inflation and rising and falling interest rates. Some of the key concepts in economics that managers should understand include:

• Supply and demand (and equilibrium)
• Consumer preferences
• Indifference curves
• Substitutes
• Price elasticity

Of course, there are many more economic principles that are relevant to businesses, but these are some of the most important ones to know.

THE LANGUAGE OF RISK

The last language is risk. It should be top of mind for the CISO and complements the three languages of accounting, finance, and economics. In today’s dynamic business environment, risk management is a crucial part of decision-making processes for businesses. It is important for CISOs to clearly articulate the differences and pervasiveness between cyber risk and other business risks when thinking about the “language of business.” Recognizing that business risks include all types of risks that can impact the business including cybersecurity risk, we will separate these two types of risks for purposes of this paper.

Business risks include financial risks, such as market

fluctuations or economic downturns, as well as operational

risks, such as supply chain disruptions or natural disasters.

Understanding an organization’s business risks, which are

often a function of a greater strategy, is vital for CISOs to

ensure that their security programs are aligned with the

organization’s goals and objectives.

Cyber risks are specific to the information technology

landscape and can include risks such as unauthorized

access, internal and/or integrated third-party supplier data

breaches, business interruption due to a cyber-attack, and

related system failures. Improperly addressed cyber risks

can result in a catastrophic impact on an organization’s

operations, finances, and reputation, making it critical for

CISOs to have a deep understanding of these risks and the

specific organizational responses.

Because cyber risks are pervasive and frequently evolving

based on technology, they require ongoing and diligent

efforts to manage and mitigate, often requiring specialized

knowledge and expertise. Additionally, cyber risks can have

a cascading impact on an organization’s operations and

reputation requiring specific considerations when developing

comprehensive risk management strategies. Consequently,

CISOs need to understand and be able to articulate how

cyber and other business risks differentiate, complement,

interlock, and/or influence each other.

“By understanding the most

important short- and long-term

value drivers, CISOs can then factor

in this information when making

resource allocation decisions for

cybersecurity resourcing.”

DETERMINING VALUE

Once you have a solid understanding of the language of business you can start to ask questions about how your organization determines value. Understanding value drivers is fundamental to the alignment of cybersecurity strategies with business goals. It helps CISOs identify and prioritize assets that need the most protection and to make more informed decisions about resource allocation. To understand value, CISOs should consider what factors add value and what factors detract from value, along with the timeframes involved. This can create tension, and the savvier CISOs who understand the different languages of business are best equipped to navigate these common challenges. For example, some stakeholders (like certain executives) are very short-term focused. And if incentive compensation is based on minimizing quarterly spend to achieve an accounting metric, such as EBITDA, CAGR, GP, or EPS, then cyber security resources and related investment could be constrained, resulting in excessive risk and horizon “technical debt” over a longer time. Conversely, owners and customers may have a long-term time horizon and are vested in seeing revenue growth due to a strong market presence and high customer trust that is reinforced by strong, sustainable cyber security reputation. This can result in a rising stock price, increasing dividends, and significant wealth creation. By understanding the most important short- and long-term value drivers, CISOs can then factor in this information when making resource allocation decisions for cybersecurity resourcing. Decision factors can include tradeoffs impacting operational efficiency, brand reputation, customer satisfaction, and innovation. These trade-offs will vary depending on the industry and the company’s business

model. For example, a software company may create value through the development of innovative new products where security by design is a critical element of the DEV/SEC/Ops process. A manufacturing company that is not capturing personal information but has significant risk around an integrated supply chain may create value through operational efficiency, inventory velocity,and supply chain digital resiliency,resulting in better cost control. Here are some of the most common financial metrics:

• CAGR (Compound Annual Growth Rate)
• EBITDA (Earnings Before Interest, Taxes, Depreciation, and Amortization)
• COGS (Cost of Goods Sold)
• Gross Profit (GP)
• SG&A (Selling, General, and Administrative) Cost
• Earnings per Share (EPS)

Understanding financial metrics is important for any CISO in order to align a cybersecurity program with an organization’s financial goals and, more importantly, ensure that the cybersecurity resource allocation decision delivers value that aligns with financial targets while not taking on undue risk. By modeling different cybersecurity spend scenarios and understanding the impact on the organization’s most relevant financial metrics when working with the Chief Financial Officer (CFO), the CISO can achieve a win/win.

Common Financial Metrics and their Ownership Structures

• CAGR (Compound Annual Growth Rate): CAGR measures the annual rate of return over a specified period. It’s a good metric for fast-growing startups and other growth-oriented companies since it measures the company’s annual growth rate.
• EBITDA (Earnings Before Interest, Taxes, Depreciation, and Amortization): EBITDA measures a company’s operating performance and adjusted profitability and serves as a proxy for cash flow. This is a commonly used metric across most commercial organizations and sophisticated CISOs need to understand how cybersecurity spend (both opex and capex) impacts EBITDA.
• COGS (Cost of Goods Sold): COGS measures the direct costs involved in producing goods or services. It’s a good metric for manufacturing companies or retailers.
• Gross Profit (GP): GP measures the amount of profit after accounting for the cost of goods sold
• (COGS). It’s a good metric for firms that have direct costs that drive core operating revenues, such as manufacturing companies or retailers.
• SG&A (Selling, General, and Administrative) Cost: SG&A measures the operating expenses that are not directly related to producing goods or services. It’s a good metric for companies that have a lot of costs when trying to grow and acquire market share, such as newer software or startup firms.
• Earnings per Share (EPS): EPS measures the amount of earnings a company generates for each outstanding share of common stock. It’s a good metric for publicly traded corporations since it measures the company’s profitability at a per-share level.

OPEX VS CAPEX AND BUDGETING

CISOs should be aware of the difference between capital expenditures (CAPEX) and operating expenses (OPEX) and how they impact financial metrics like EBITDA. Capital expenditures (CAPEX) are typically organizational spend made on assets that generate use or benefits for periods longer than a year such as computer hardware or certain types of intangible assets. Operating expenses (OPEX) are typically organizational spend made in ongoing costs, like salaries or software subscriptions, that are necessary to keep the business running and are not eligible to be capitalized based on company policy and Generally Accepted Accounting Principles (GAAP). Bernard Golden, an advisor for CIO magazine, puts it another way: ”Once you have purchased a capital good, you’re stuck with it, as anyone who has purchased a car understands; even if you’re no longer excited about owning it, the finance company still expects a monthly payment. By contrast, if you rent a car, you are committed to it only as long as you want to use it – and once you’ve paid for that use, you have no further financial obligation.” Traditionally, we thought of a piece of hardware (e.g., a firewall) as CAPEX and the SaaS version of that control (e.g., a SASE) as OPEX. However, that traditional view is changing. According to Prashant Saxena at the Smurfit Business School: “It’s no longer as simple as on-premise data centre = CAPEX and Cloud = OPEX. More flexible OPEX funding arrangements are available across the full gamut of IT architectures from on-premise to hybrid and public cloud. On-premise or private cloud infrastructure can be leased to provide an offbalance sheet transaction. Combined with management, it provides the infrastructure and administration for a predictable monthly fee, and allows organizations to focus on core tasks. On-premise infrastructure combined with public cloud for non-core workloads, data protection, and DR can all be all delivered via a true OPEX model, with a single monthly bill.” It’s important to note that the recent lease accounting rules may change where this example applies so confirm the accounting treatment with the CFO. The general industry trend for IT and cybersecurity applications and services has been moving towards OPEX and away from CAPEX, motivated in large part because there is a high level of stickiness with subscription-type services and investors value recurring revenue streams. In addition, switching costs can be high so when evaluating where to allocate cybersecurity resources, understanding the total cost of ownership, including switching costs, requires a longer-term view and a more strategic understanding of the organization. For example, if the organization was interested in being acquired, it may not make sense to invest a significant amount of capital in building up a SOC infrastructure compared to using an outsourced provider with lower upfront costs offering a subscription type service.

LEASE VS BUY SCENARIO

Using a simple example of a lease vs. buy scenario, imagine you wanted to start a delivery business that would make $4,000 per month but you first needed to buy a delivery truck. You could buy the truck up front for $100,000 cash or you could lease it for $1,800 a month for 60 months, which would result in a total cost of $108,000. Saving $8,000 might seem like a better decision at first, but consider that the business would only have to pay $1,800 for the first month and then the truck would make $4,000 per month. That income would more than cover the truck’s payment, and since you only spent $1,800 instead of $100,000 for the first month, you would have $98,200 to invest in other parts of your business. For IT programs, other benefits of “renting” capacity can include quicker time to value, immediately engaging experts and not incurring an internal learning curve, and allowing the focus to be on the core competencies of the organization. For instance, it takes much less time to consume the outputs of an MSP than to build and develop the expertise to run an entire in-house SOC. Although the accounting treatment of cybersecurity budgets should not solely determine cybersecurity spend rationale, it is useful to understand the businesses’ budget buckets for CAPEX and OPEX and ways to adjust security projects to meet those budgets. For example, CAPEX is often favorable for firms that want higher EBITDA since capital costs are depreciated/amortized. This means they do not directly impact Earnings Before Interest Taxes Depreciation and Amortization (EBITDA). Conversely, if CAPEX commitments are accounted for based on estimated useful lives (and a recent trend we have observed is that CFOs are extending the initial useful life estimates of technology), then CISOs may have to wait longer than initially anticipated to replace certain technologies. For example, if a piece of on-prem hardware is acquired and expected to be depreciated over three years, but the CFO elects to revise that estimate to four years based on “facts and circumstances” (including if the on-prem is still fully functional after three years), then the CISO may be in for a surprise if there was an initial plan to replace the device in three years. Keep in mind that some CFOs are reluctant to approve CAPEX for items that are not fully depreciated.

ALIGNING CYBERSECURITY BUDGETS WITH FINANCIAL BUSINESS GOALS

There are several other ways to align cybersecurity budgets with financial goals, including investing in security measures to help reduce expenses that fall under SG&A categories by avoiding potential data breaches and their associated costs. Cybersecurity can also be used as a competitive differentiator or even a revenue generator by increasing organizational trust, which can provide customers with the confidence that their data is safe and secure, leading to more customers who value trust and security. Here are some creative ways to align cybersecurity budgets with financial business goals:

• Turn cybersecurity expenditures into cost reductions: CISOs can identify areas where cybersecurity spending can lead to cost savings. For example, sun-setting legacy systems reduces licensing and maintenance costs while simultaneously improving the risk posture.
• Turn cybersecurity expenditures into cost avoidance: CISOs can demonstrate how investing in cybersecurity can help the company avoid costs associated with data breaches or cyber-attacks. For example, investing in employee training and awareness programs can reduce the likelihood of successful phishing attacks or other social engineering tactics that could lead to a data breach.
• Turn cybersecurity expenditures into competitive differentiators: CISOs can help the company differentiate itself from competitors by investing in cybersecurity that addresses customer concerns. For example, a company that invests in secure mobile applications or a secure e-commerce platform can attract more customers who value security and privacy.
• Turn cybersecurity expenditures into revenue generation: CISOs can help the company generate revenue by leveraging cybersecurity capabilities to create new products or services. For example, offering managed services, incident response, or penetration testing to their customers to generate additional revenue streams.
• Leverage cybersecurity to improve customer retention: CISOs can show how investing in cybersecurity can improve customer retention by reducing the risk of data breaches or cyber-attacks that could compromise customer data. For example, a company that implements multi-factor authentication (MFA) for its online services can increase customer confidence in its security and reduce the likelihood of customer churn. Additional examples could include complementary service-level agreements (SLAs) for customer incident response, security updates, reports, threat intel, education, or awareness programs.
• Align cybersecurity spending with business units: CISOs can work with business unit leaders to identify cybersecurity risks and priorities that align with the financial goals of each unit. For example, a sales team may prioritize secure collaboration tools to close deals faster, while a finance team may prioritize secure payment processing to reduce the risk of fraud.
• Invest in cybersecurity to enable new business models: CISOs can demonstrate how investing in cybersecurity can enable new business models or revenue streams. For example, a company that invests in blockchain technology and smart contracts can create a secure platform for conducting digital transactions, which could enable new business models and generate additional revenue streams.

CONCLUSION

Learning the languages of business and understanding how value is measured can help CISOs align their security program with the organization’s financial goals. This alignment is essential for securing funding for critical security tools and headcount while supporting the CFO in meeting financial targets. CISOs can demonstrate the value of their cybersecurity program by translating cybersecurity expenditures into cost reductions, cost avoidance, competitive differentiators, or revenue generation. By understanding how cybersecurity affects the company’s financial metrics, CISOs can make informed decisions that align with the organization’s goals, including reducing costs, increasing revenue, or achieving specific financial targets like EBITDA, CAGR, SG&A reduction, or earnings per share. The ability to translate will allow you to articulate how your cybersecurity spending delivers value and aligns with financial targets.