It would seem to make sense for finance chiefs to tightly hold their cybersecurity purse strings given such decisions can determine whether a company’s defenses are sufficiently hardened to avoid costly digital attacks.
Yet, in many cases, it’s tech executives who are calling the shots when it comes to allocating money to keep the company’s digital operations safe, according to findings of a survey of middle market executives tucked into a recent report from the consulting firm RSM US.
The survey conducted during the first quarter found that half of cybersecurity budgets “reside” under the chief technology officer and 42% reside with the chief information security officer. Just 34% of CFOs and 32% of CEOs hold the cyber-budget keys.
That’s notable, given that cyberattacks and cybersecurity can pack a financial punch. The average annual security center operations budget for large corporations stands at about $14.6 million, according to a recent survey from KPMG. Meanwhile, the average nation-state-backed cyberattack cost an estimated $1.6 million per incident.
Technically speaking all budgets are under finance chiefs, but there is broad variation between companies as to who has more control, according to Tauseef Ghazi, RSM’s national leader of security and privacy. At many companies the budgeting structure merits review, he said.
“I think the CFO controls the overarching budget but rely on their IT or security executives to help determine the needs,” Ghazi said in an email response to questions.
“In a lot of cases, the CFOs also see themselves as the overarching cost containment leaders, which can create push for lower budgets if the needs and risk for the organization are not explained properly… It is imperative that CFOs understand these risks and operational budgets in great detail as all budgets ultimately roll up to them,” he said.
There are pros and cons to where the remit for the cybersecurity budget sits, said Ghazi in an interview, noting that his firm has coached some companies to slide the budget into other departments, depending on what is happening within the firm.
But there are certain advantages that CFOs can gain by taking ownership, he said.
“From a pro standpoint, I’ve been doing this for 25 years, and when I see budgets being allocated through the CFO org generally the cybersecurity strategy is more aligned with their enterprise strategy driving to a business outcome,” Ghazi said in an interview. By contrast, when the tech executives have more control it can feel like it’s not being tailored to mesh with the organization’s strategy. “It’s more tools oriented.”
Likewise, one of the cons of having the cyber costs sitting outside the CFO’s main purview is that they might be distanced from the implications of certain decisions, he said.
For example, they might question why more cybersecurity expenses are needed if the company has purchased certain cloud-based products that are viewed as protective. But depending on which subscriptions or types of cloud services the company purchases, they still may need more protection, he said.
Another downside to having tech leaders oversee the cyber budget is that cybersecurity spend is often sacrificed to fund other tech and digital transformation projects, leaving companies open to a great deal of risk while they complete those projects, Ghazi said.
“We have found instances where cyber teams are doing the bare minimum to meet compliance obligations rather than building a holistic cybersecurity program that could be resilient against advancing threats such as ransomware,” Ghazi said in an email. “As such, it makes sense for [cybersecurity] to have the agility to operate separate from IT budgets and [have] direct line of sight to the CFO. IT operations and Security can often be in conflict.”