The Chief Financial Officer is just essential to the organization in quantifying risk as the legal team, HR, CISO, and Marketing Department. The reason for this is to accurately quantify risks within the organization the CISO is in need to understand the metrics around:
"How much do we lose if we go down for a day?"
"What is the information security budget besides IT budget?"
"What kind of cyber liability insurance do we have?"
The CFO should be in the meeting around regulations; there is a likely chance that the budget is going to increase for the upcoming year because of regulatory changes.
These could be changes to General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), SEC, PCI.
They could require a new mandatory position (CISO), assessment of the organizations for best practices, or new baseline technology that every company must have implemented by a specific date.
There is a high likelihood of a company realization either from an audit or a proactive assessment that the organization is going to have hire staff or outsource.
There currently is a skills shortage around positions in information security. These include analysts, forensics, reverse engineers, security architects; depending on your company, locations, benefits recruiting talent could be near impossible.
The other option is to partner with an organization who specializes in the realm that needs fixing. The organization can follow the "crowdsource"/"open source" model by having many eyes on the problems, so that way experts are always in the room.
How does an organization efficiently quantify risk when they do not know the numbers behind the data that they generate?
How much do outages cost for the organization?
What is the loss if the production line goes down?
When a breach happens how much does this cost? (PR, insurance, brand awareness, class actions lawsuits, forensics, new staff)
To accurately quantify the risks the organization must get a handle on the numbers surrounding the IT and information security budget. Think in the manner of assessments are regular tests against your technology, people, and process to ensure efficiencies and protection of sensitive data.
Information Security Budget
The information security budget must be separate from the IT budget. The security department sits at the highest layer of an organization (The Board) to ensure proper oversight of other departments, risks are getting mitigated, and regulations are accurate. There needs to be a separate budget for proactive assessments, technology, staff members, training, and remediation of risks.
Proactive vs. Reactive
When it comes down to an organization to be proactive or reactive to information security risks, most organizations from our experience choose to be responsive.
"It's never going to happen to me."
"We are too small to be worried about these risks."
From our experience, an organization would instead buy cybersecurity insurance instead of being proactive to find the cause of risk. By having this mentality.
The CFO is mandatory to know the risks and information security needs of the organization. They must understand how these risks negatively impact the organization not just from a monetary value but also the people and process risks associated.