Leadership & Management Column

Security and the CFO: Show Me the Money

February 1, 2011
KEYWORDS CFO / CSO / management
/ Print / Reprints /
ShareMore
/ Text Size+
Jill Knesek

“I have been able to create relationships with the CFO and the C-suite, and I have regular quarterly meetings so that when it’s time to ask for money, the repertoire is there,” says Jill Knesek, CSO of BT.

Chief Financial Officer (CFO), Finance Director, Corporate Treasurer…whatever the title may be, they control the money in an organization – where it’s spent, how much is spent, perhaps even why it’s spent.

As a corporate officer in many organizations and with a spot at the C-suite, the CFO is primarily responsible for managing the financial risks of a corporation. This officer is also responsible for financial planning and record-keeping, as well as financial reporting to higher management. In some sectors the CFO is also responsible for data analysis. The CFO typically reports to the CEO and to the board of directors and may additionally sit on the board. 

As a CSO who may be trying to get a new security program or funding, the CFO is someone you’ll have to sit down and discuss how you spending money is actually going to save the company money. How do you sell security to someone who’s thinking it is all about dollars and cents, profit and loss and who possesses advanced business and financial degrees and experience?

For Jill Knesek, CSO of BT (British Telecom), it doesn’t have much to with security at all.

It’s The Business

BT is one of the world’s leading providers of communications solutions and services. The company’s principal activities include networked IT services, local, national and international telecommunications services, and higher value broadband and internet products and services. BT is also the world’s oldest communications company, with a direct line of descent from the first national telecommunications undertaking in the world.

The company’s global services security department, which Knesek heads up, operates in 170 countries, and is responsible for end-to-end security – cyber security, physical security, crime, fraud, asset protection and risk mitigation for 1,500 facilities. Knesek’s staff consists of 27 security directors.

Christopher Walker

“People in security think they are special because they save lives, but they’re not that special, because HR, marketing, sales and IT all think they’re special as well. We’re all competing for the same piece of pie,” says Professor Christopher Walker, executive professor of strategy with the College of Business Administration at Northeastern University, in Boston. 

“With a CFO, it’s important to talk about security, but it’s more important to talk about the business,” Knesek says. “It’s been one my biggest challenges. But I have been able to create relationships with the CFO and the C-suite, and I have regular quarterly meetings so that when it’s time to ask for money, the rapport is there. So when I get face time with the CFO or the Board, I articulate reducing the cost of crime, protecting our brand and reputation and showing security’s long term value.”

“As a telecommunications company, we see a lot of potential for revenue fraud,” she says, “for example, theft of assets, cable, copper, and illegitimate customers. So I tell the CFO how my security operations will save millions of dollars in fraud losses per year. Once you start talking about dollars and cents and revenue, provide metrics and articulate how you will reduce costs with mitigation plans in place, you’re on your way to reaching the CFO. Security is not just about throwing a guard at a problem, it’s about reducing risk.”

As a former CSO with a Fortune 50 company and with a leading media firm, Christopher Walker once reported to the CFO. Professor Walker is currently the executive professor of strategy with the College of Business Administration at Northeastern University, in Boston, Mass. Professor Walker has also consulted with a number of business firms across several industries. He has created management development programs within three universities and among a range of organizations and businesses.

During his career, he says, articulating the logic behind the security systems that you want in place was always a difficult task. “You have to articulate financial logic behind doing what you do,” he suggests. “If you ask companies to spend a large of amount of money for a feeling of safety, that’s not sufficient. Articulate how you’re going to reduce the company’s liability exposure and the loss of assets. Show the financial impact that could be attached to a security disaster.”

Specifically, Professor Walker advocates benchmarking. “Someone has that experience,” he says. “Look at what has happened and the financial impact of litigation that has taken place, the case laws that are out there and provide a logical argument that embodies the legal and the financial aspects.”

As with Knesek, Walker stresses understanding your company’s line of business first. He also says that past experiences may not be the best thing on which to rely.  “Maybe you have had success in another job so you make certain assumptions about what should be done in your current company. That’s not necessarily the best way to go about it because business is about context.”

The CFO: Tales from The Front

How have two CSO’s reached their CFO? Their advice:  

“I report in to our COO, so I am not an expert on presenting to a CFO, albeit I have tremendous support from our CFO who stands behind our mission. I can only add that we view security in two areas, moral imperatives (life safety stuff) and then business resiliency (things that make sense for protecting the business and building continuity). The way I break out my mission regardless of who I am presenting to in leadership is easy: If we do not get the moral imperatives right, we will lose the faith of our people and clients; that outcome is a zero sum game. The resiliency piece is more measured against risk and spending in areas that are needed to sustain the business (protection, response, redundancy).”

Timothy S. Weir

“I concur with Tim’s position. I do think, however, that presentation of information is different based on who you need to connect with, while the underlying premise (moral or resiliency) is the same. For example, a CFO is focused on the dollars of it all, so sound business cases that translate the issue and result into numbers/productivity will resonate better. In this case, if we’re talking about moral imperative, part of the pitch might be cost of lost productivity due to absenteeism, fear, distraction, etc. Resiliency usually translates easily to some business language. A Chief HR Officer will be more focused on associate safety, perception and more, and less on bottom lines or other financials. So, the basic premises remain the same – the “language” you use to convey the opportunity and solution is geared toward your specific audience.”

Timothy T. Janes, CPP, CFE

Business Programs for CSOs and Mid-Level Security Managers from ASIS International:

Wharton/ASIS Program for Security Executives

October 31-November 4, 2011 and January 23-27, 2012, Philadelphia, PA

www.asisonline.org

Business Concepts for the Effective Security Manager

ASIS and Northeastern University

March 8-11, 2011; October 18-21, 2011

Boston, MA

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

THE MAGAZINE

Security Magazine

April 2014

2014 April

In the April issue of Security magazine, read about integration partnerships and their growing success. The Boston Marathon bombing has changed the way integrators look at security for sporting events, see where they are one year after the tragic incident. Read about the 2014 RSA conference and this year's theme of "Threat Intelligence. Also, read about the latest products and news in the security industry.

Table Of Contents Subscribe

Background Checks

Who conducts background checks on new employees and contractors in your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13