This is part 6 of 9 in the Getting More Out of Your Security Budget Series
According to a PwC survey, 53% of CFOs are looking at accelerating their digital transformation initiatives. But, do they know that security is an important part of that growth? Making sure that security gets accounted for in your company’s budget can be challenging, but it’s a very worthwhile pursuit to ensure the future protection of your business. A lot of CFOs struggle to see the ROI of security, and a lot of security or developer folks struggle to show their CFO just why investing in security solutions is really one of the smartest moves you could make. So, we’ve put together a short guide on how to propose a security investment to your CFO. There’s even a budget request template at the bottom of the article to make your ask even easier!
CFO’s are busy people. Not only that, but they’re also managing budgets that seemingly get smaller and smaller, yet the asks for spending are becoming more frequent. This means CFOs are going to need some solid reason why your expense is worth it.
Security is even harder to sell than say, a new sales tool that directly generates more revenue for the company. Instead, security improvements have a ton of benefits that indirectly help the company earn revenue. Because of this, you’ll need to pull quantifiable data that can later be converted into increased sales dollars or reduced sales costs. It takes a bit more leg work.
Additionally, security expenses are usually pretty big! Your CFO might even laugh when they see your proposed vendor contracts. This is going to be especially true for small businesses that are just starting to invest in great security practices, whether for your own security hygiene or because compliance and vendors are asking you to.
There are four key things that CFOs generally look at when evaluating if something is “valuable” to their organization. This includes:
The great thing is that these four categories are generally broad enough that you can weasel your investment to fit all of them. For example, there’s multiple ways that a big expense could help you actually lower costs if it means that you no longer have to use multiple other tools that all do just half of the job. Reducing risks means that your proposed solution can help your company earn compliance or automate some aspect of maintaining compliance, which is also a productivity value-add! Compliance frameworks such as ISO 27001, SOC 2, and PCI-DSS all have a lot of security-specific requirements, so there’s a good chance your security investment will support this cause.
The two points that are harder to sell are increased productivity and increased growth. If you’re doing something like purchasing penetration testing, for example, try to look for a vendor that provides detailed reports which include remediation advice. With replication and remediation advice, your developers are much more likely to understand the risks at hand and feel prepared to patch them quickly. In turn, there’s less arguing between teams and less time wasted wondering how in the world that vulnerability is going to get mitigated. Thus, productivity goes up. And with more productivity, more revenue growth comes along, too. Then, if you choose to practice multiple penetration tests per year, you can even point out that your developers will adopt best secure coding practices, which reduces your risks of a breach. In other words, you see even more productivity and risk mitigation! Sold yet?
When proposing a security investment to your CFO, you better have some idea of where that money is coming from. CFOs usually aren’t too picky about where the budget comes from, as long as it exists. The best case scenario is obviously having your security improvement already considered in your budget. But, if it isn’t, you can offer to remove another line item in trade for your security improvement.
Back to the example of purchasing penetration testing, you could tell your CFO that it’s required for compliance, and it fits under that budget. If that budget doesn’t exist, or it’s all washed up already, suggest that something like your subscription for the short security training videos be cancelled instead, as your pentesting package also includes a Slack channel so you can ask those questions in the moment, to a real person. Therefore, the impacts to the budget remain the same (and maybe it’s even providing more to your team for less). 3. Understanding of the purchasing process
When do you actually need to go to the CFO with your proposal? What information do they actually need, specific to your organization? While our advice can certainly help you get organized, your team might have some specific requirements that you also need to take into consideration.
Your CFO is also going to want to know where you are in your purchasing journey. Are you just researching who is on the market? Or, are you ready to buy? Knowing this helps your CFO prioritize their time to review your ask. If you’re far out from your purchase and you don’t require the money for three months or more, they might ask you to sit tight. On the other hand, if you wait until you need the money in a week or less, you might find yourself delaying your deal until the CFO can find some time and organize the payment. Timing is crucial, and you should do your research into this as soon as possible.
Who is actually going to do the work to put your investment to use? Is it you? Is it another team you haven’t talked to in months? The CFO is going to want to know they aren’t wasting precious money on shelfware, or some variation of it.
In some cases, you might even have a team that is working together for implementation, and then another team who works on maintenance. It would help your case to clarify who these teams are, what role they’ll play in the adoption and use of your security investment, and how frequently people are going to be engaging with it. Better yet, identify one person from each team who will be the lead on ensuring the security improvement gets put to use effectively. This person will also be the one held accountable to report on the return on investment of the tool or service down the line (so pick someone who is on the ball with tracking these details).
There isn’t just one firm out there offering each security service or tool. Luckily for you, there’s a world of opportunities when it comes to finding a solution that fits your team’s unique needs. CFOs are going to want to see that you did thorough research and that you have strong reason to believe your choice is the best one. Compare the value of each offer by quickly reviewing pricing, features, and the four types of value (mentioned above) that each offer would give you. One solution might be a lot cheaper, but it might not lower your risk or increase your productivity as much as another solution. This is important to compare so your CFO feels like they’re viewing the whole picture.
It seems obvious, but it’s true. Trusting in yourself that you’re purchasing the right solution is going to help your CFO trust you too. Especially if you’re asking to commit to a $20,000+ security investment, your CFO is going to be closely reading your body language to see if you’re really believing that this proposed vendor is the best. When in doubt, ask your chosen vendor about any last questions or sales enablement tools that they can provide to help you boost your confidence before proposing the idea to your CFO. Here’s a few tips from Hubspot on how to use confident body language to sell your pitch well.
CFOs live in a world of numbers. They’re constantly calculating risk, revenue, future growth, and possible investments in very quantifiable terms. When you’re asking to spend a big chunk of change, you’ve got to speak their language. Here’s some metrics you can calculate to get your CFO to see the value of security:
This point is for the procurement team, or anyone who functions without an overarching view of what the security team has in place already. For example, if the security team already has a vulnerability scanning tool, you probably don’t need to vouch for another one. Unless you’re purchasing a new type of scanner (see more here on the difference between what SAST, DAST, RASP, and IAST mean to developers).
It’s also good to know what security solutions have similar functions. For example, vulnerability scanning, penetration testing, and red teaming are terms that are often used interchangeably but actually provide slightly different benefits (and have different ways of finding vulnerabilities). Do your research on your solution and relatives to it before approaching your CFO so that you can best answer their questions and prove that your investment is truly worthwhile!
Like you, the CFO doesn’t have a ton of time to review budget approvals. And they have even less time for people who don’t even know what kind of budget they need approved. Taking the extra few minutes to prepare your quantifiable data and value-adds that your security solution is going to bring to your organization gives you a leg up in your budget negotiations. This proves to your CFO that you’re taking this purchase seriously and makes it more likely that they’ll be ready to work with you (and not shut you down right away).
We just can’t iterate it enough! It’s starting to be a tough economy out there, so every dollar needs to be spent meaningfully. At the end of the year, the CFO and CEO are going to review their spending and impacts that it brought to the organization. The better ROI that your investment has, the higher likelihood that you’ll be able to secure more budget in the future.
If you’re working on an ROI calculation, try to do your estimate for the expected returns in 3 months, 6 months, and 1 year. The bigger your security investment, the further into the future you’ll want to plan for. While it can be harder to think in the long-term, we promise it’s necessary and worth it.
So, we gave you a lot of info on what to do (or not to do). But, how do you put this into practice? Download our editable template and just input the answers to questions that your CFO is bound to ask. It should take you 5 minutes to complete once you have all the information ready. Present them the template over an e-mail and you might even save yourself the call!