A CFO’s view of cloud security is necessarily one focused on ROI; what will the return be on our investment and how do we protect our stakeholders’ interests? That question is best answered by a CFO and we appreciate the view of Kevin Durkin, CFO of Threatstack, cited below.
Bottom line: Mr. Durkin suggests CFOs
In the time I’ve been CFO at Threat Stack, I’ve had some interesting discussions about cloud security with fellow CFOs at a few of our customers and prospects. They know security is important, but just like me, they are tasked with managing limited resources to meet their strategic and financial objectives. They have a financial plan they need to deliver on as well as budgets and gross margin targets; and this means they are constantly balancing risks against expenditures.
So when it comes to cloud security, they don’t want to spend more than necessary, and they want to make sure they’re getting real value for their money. But what is “necessary” and what is “real value”? Security of data and systems is essential, of course, but from my perspective as a CFO, that’s too narrow of a view. It’s as if someone checked off a Security requirement line item without looking more deeply and broadly at the specific benefits that a comprehensive cloud security system can deliver to each of the stakeholder groups within (or connected to) an organization.
Who are the Stakeholders?
A comprehensive cloud security platform should meet the needs of all stakeholders — and broadly speaking, the six main groups are: investors, board members and C-Level executives; CSOs and CISOs; Development; Operations; end users / customers; and we could add compliance regulators as well. By delivering unique values to each stakeholder group, what might at first appear to be a security expense can be seen in a new light as an investment that addresses the concerns of multiple individual areas in the company and collectively brings about greater organizational effectiveness and efficiency.
I spend a lot of time working with the first group — investors, board members, and C-Level executives — so let’s start there.
How Does the Executive Level Look at Cloud Security?
Let’s start with an accepted fact: data breaches are a part of life in today’s connected world, and preventing or remediating them is a necessary cost of doing business. It’s an ongoing cost that all businesses need to build into their financial and operational plans, and this is especially true for businesses in finance, healthcare, and retail, given that their customer data is both highly confidential and highly regulated. The Executive Level is fully aware that it is almost always less expensive to put a proper defense in place than it is to allow a data breach to occur, and for that reason, they understand the need to allocate budget to CSOs and CISOs.
Beyond data breaches, boards, senior management, and investors in publicly traded and privately held companies are concerned with the impact that security — or the lack of it — has on reputation and profitability. A 2016 study by IBM Security and the Ponemon Institute found that the average cost of a data breach is $4 million USD, with the full impact going beyond the cost of remediation to include the cost of lost business that results from a tarnished corporate reputation or brand image, the loss of customers, and the loss of goodwill. When these factors are added in, the total cost of a data breach, while harder to calculate, is significantly higher.
In short, investors, directors, and C-Level executives are taking — or are beginning to take — a holistic view that is equally concerned with customer acquisition, revenue growth, cash burn, and a path to profitability; security of data and systems; and finally, reputation and continuing viability — because they realize that these concerns, in the final analysis, are inseparable.
Advice for CFOs
CFOs are always looking for a return on investment. A cloud-native security solution that can be deployed rapidly can provide a streamlined platform to manage security risks. With the right system, the overhead of multiple tools and vendors can be eliminated, and the system’s automation capabilities can optimize existing assets.
My advice is to take a broad view of security — to “invest” in security. If you decide to do this, you can build and deploy your own solution, of course, but cloud security is probably not one of your core competencies. And therefore, a better option would be to identify a cloud security provider who has built a cloud-native solution using deep security and DevOps experience. Such a solution, coupled with a well-thought-out security strategy, will go a long way toward ensuring that you have cloud security that keeps your business and your customers safe, while it also protects the interests of your investors, directors, and C-Level executives — as well as all the other stakeholders.