Last month’s column addressed the security organization reporting to the General Counsel, which studies show is one of the more common reporting relationships for security executives. This month we will discuss the advantages and disadvantages of reporting to the Chief Financial Officer (CFO). Most enterprises combine a number of functions under the Office of the CFO; the most common include Corporate Controller, Chief Risk Officer, Chief Information Officer, Tax Department, Internal Audit, Mergers & Acquisition, Corporate Travel, Risk Management (Insurance), Corporate Aviation and Procurement.
Reporting to the CFO can provide some unique benefits for the security function. The CFO is keenly aware of the risk horizon of the organization and, like the General Counsel, is one of the first individuals in the company to know when an issue arises. The CFO is also heavily involved in key decisions about acquisitions, mergers, divestitures, new facilities, plant closings, layoffs, etc. As a direct report to the CFO, the security organization has an opportunity to be an early participant in key decisions that affect the enterprise.
Working closely with the CFO can provide additional advantages such as establishing centralized capital accounts to fund physical security and information security installations and upgrades. Doing so eliminates the contest for capital at a facility where the general manager has to decide between investing in new equipment to increase productivity or enhance quality or funnel precious capital dollars into security investments. CFOs generally understand that capital investments in security are a fairly cheap insurance policy.
Similarly, rather than having to budget for unforeseen expenses related to conducting reviews of business practices policy violations, fraud, theft or anti-counterfeiting campaigns, CFOs understand the need to establish centralized off-budget accounts to capture the costs of these types of activities. Most CFOs prefer to avoid the accounting processes of cross-charging the business units for these expenses and easily grasp that doing so may result in operating units not reporting losses or other types of business practices policy violations to avoid being hit with the costs.
If you report to the CFO, you better have your business hat on and utilize metrics and measurements that depict the value security provides to the enterprise. If you propose a new policy, be prepared to explain the reason for the policy, the threat or risk that it is designed to mitigate, the probability of the threat or risk materializing, the mitigation options available with the cost/benefit analysis of each, the reasoning for selecting the specific mitigation being recommended, and then be prepared to effectively defend the cost of implementation as well as the cost of failing to implement. Similarly, if you are planning a project involving capital expenditures, you will not only have to provide all of the data previously stated, but add to that a definitive calculation of return on investment (ROI). I must say that I frankly don’t see any of these as a real disadvantage, as they are things that every security executive should be doing as a core part of the business of security.
I would welcome receiving feedback from any CSOs on their experiences reporting to the CFOs in their enterprise. Please provide your insights on what you have found to be the pros and cons of reporting to the CFO in the comments section of SecurityMagazine.com, or email me directly.
Next month’s column will explore the pros and cons of reporting to the Chief Human Resources Officer.