Before I started working at Threat Stack, security was not always at the top of my priority list. Now, as the CFO of a leading cloud security company, I’ve learned to take a more holistic view of security: I still view it as a necessity that ensures the safety of an organization’s data and systems, of course, but I also understand that it can be a powerful business enabler and business driver.
Put another way, I no longer view security as just an expense (a “necessary evil”?), and see it as an investment that adds ongoing value throughout the organization and beyond as it not only provides foundational security, but also bolsters corporate reputation, adds confidence to customer relations, streamlines sales cycles, reassures board members and investors, helps with achieving compliance, and so on.
In spite of the huge value it adds, security can still be something of a hard sell — especially in companies where resources, including budget, are limited. With that in mind, I want to use this post to share some of the things I’ve learned as CFO at Threat Stack.
Depending on your organization, your CFO may look at security the way I used to — it may not be at the top of his or her agenda. So I’ve gathered five posts from the Threat Stack blog that will help you (as a security professional) educate your CFO about the value of security, provide a framework for budgeting, and explain how closely security and compliance are tied together.
1. A CFO’s Perspective on the Real Value of Cloud Security
In the time I’ve been CFO at Threat Stack, I’ve had some interesting discussions about cloud security with fellow CFOs. They know security is important, but just like me, they are tasked with managing limited resources to meet their strategic and financial objectives. This post discusses the broader value of security and explains how we structure our own budget around that.
The Takeaway: By understanding how to deliver unique value to each stakeholder group in your organization, what might at first appear to be a security expense can be seen in a new light as an investment that addresses the concerns of multiple individual areas in the company and collectively brings about greater organizational effectiveness, efficiency, and profitability.
2. How to Align Security With Your Business Objectives
You can help to make security a bigger priority if you map it to business objectives. In this post, we offer several ways to go about doing this, allowing the security and finance teams to successfully bring security deeper into the organization.
The Takeaway: Almost any pyramid of business values is topped by profitability, and profitability is enabled by having a competitive advantage, which, in many cases, is a matter of being able to ship products to market fast — and securely. In other words, when security is integrated into your organization so it not only optimizes your business processes but also supports your organization’s topmost objectives, it adds maximum value. Being able to explain this to your CFO can go a long way toward getting the support you need to implement a comprehensive security program in your company.
3. 5 Factors to Consider When Building Your Security Budget
Building a security budget can be a complex and sometimes fraught process. As Threat Stack’s CFO, I have learned just how vital an effective security strategy is to the health of any modern business — and as a corollary, how critical a carefully planned security budget is. In this post, I share five factors you should consider when you put together your own organization’s security budget.
The Takeaway: If you identify your crown jewels, define your business risks, calculate the full ROI of your proposed security solution in addition to the upfront cost, carry out due diligence on selecting tools, and consider other factors that are unique to your organization, you should be able to build a realistic and compelling budget.
For more information, download a free copy of our Cloud Security Playbook.
4. Budgeting for a Compliance Audit: A Practical Framework
Alongside security expenses, companies also need to be thinking about their compliance expenses. Especially if you work in a regulated industry like healthcare or finance, or have customers that do, compliance will come up. It’s just a matter of how ready you are when it does. This post breaks down the direct, indirect, and opportunity costs involved in a compliance project and explains how to allocate budget for it.
The Takeaway: Using the framework outlined in this blog, and with a basic understanding of the costs involved with compliance, you will be effectively armed to prepare your budget and effectively achieve compliance.
For more information, download a free copy of Threat Stack’s Compliance Playbook for Cloud Infrastructure.
5. Why You Need to Be Compliant Much Sooner Than You Think
We often talk about compliance on the Threat Stack blog, because as more businesses are moving to the cloud and storing internal and customer data there, achieving compliance becomes necessary. Truth be told, most companies don’t prepare for compliance until the train has already left the station. This approach is not only stressful, but also costly. In this post, we break down what it takes to become compliant so you can meet internal and customer objectives without stress.
The Takeaway: If you foresee that your business will need compliance at some point down the road, commit to starting the process as soon as possible. The bottom line is that, for many companies, regardless of whether PCI DSS or HIPAA compliance is automatically required, it can be worth the effort of becoming compliant because of the many business opportunities that open up as a result. Do the math and figure out whether it makes sense for your company (e.g., faster sales cycles, expanded sales opportunities, increased revenue).
For more information, download a free copy of Threat Stack’s Fast-Tracking Compliance in the Cloud.
Selling Security Internally
Learning about security takes time, and it can be a fairly steep curve for someone who wasn’t originally trained in it. I’ve learned a lot working at Threat Stack already, but there is always more to learn. That’s why my best piece of advice is to become a partner with your CFO, to help them understand what’s required to become a secure business and make the right decisions. Armed with the right information (starting with what’s covered in the posts above) and guided by an expert in the field (you), security can become a true priority and an asset to your organization at large.
If you’d like to learn more about how Threat Stack can help with your organization’s security, please contact us for a free demonstration of our intrusion detection platform (IDP).