Most CFO’s are not directly involved in IT or security in IT, except possibly when reacting to an incident like a security breach. However, PERRY HUTTON of Fortinet believes that CFOs need to become more hands on when setting out IT budgets and motivating them.
Recessions may eat into enterprise budgets as a whole, but information security stands alone in enjoying increased budget allocation, thanks to CFOs who see the returns inherent in mitigating risk, says security specialist Fortinet.
Perry Hutton, Regional Vice President – Africa at Fortinet, says CFOs in South Africa’s largest enterprises typically don’t get involved in IT spend, beyond approving the CIO’s budget. “We don’t usually meet with CFOs, particularly in the large enterprises. Our top 120 to 140 enterprise customers are well structured, with very knowledgeable CIOs or CISOs in place who manage the information security spend, supporting their budgets with clearly laid-out business benefits and returns. Their CFOs are typically tech-savvy and – more importantly – aware of the potential costs of security breaches, and support spend on IT security. However, they seldom get directly involved. Possibly the only time large enterprise CFOs would get directly involved in information security budgets is when they are being reactive to an incident.”
In the mid-market sector, which may not have specialised CISOs in place, CFOs are more likely to become involved in the information security budget discussion, says Hutton. “Fortunately for us, security tends to be treated separately from infrastructure and other components of IT. Even when organisations are cutting their budgets, you don’t find too many cutting their IT security budget. If anything, finance is allocating a larger percentage of the IT budget to security, because the world is becoming more dangerous and they have to throw more cash at mitigating risk,” he says. “Of course, the money has to come from somewhere, so invariably it comes from somewhere else in IT like stretching storage. For us, it’s a good position to be in. Back when the global recession struck in 2008, we didn’t suffer as badly as other players in the IT space, because the threat landscape didn’t go into recession, and long may this situation last.”
Because Fortinet plays in a space where the benefits to business are well understood, it seldom has to assist CIOs in motivating for budget, Hutton says. However, in cases where the CIO or IT manager must motivate for budget from the CFO, Fortinet is able to supply extensive threat reports, in depth research and risk analysis to highlight the benefits to business of making the investment. “We’ve also just launched our Cyber Threat Assessment Program (CTAP) in South Africa, in which we will perform a real time threat assessment for prospective customers; with analysis by our FortiGuard Labs. After our recent launch in East Africa, we had requests for a few assessments in the region.” The requests typically came from CISOs and CIOs, but Hutton expects the CTAP results to help IT build its case for budget with the CFO.
“There are typically two schools of CFO – the old school CFO, who is usually in place in larger enterprises where the IT budget is managed by an experienced CIO and CISO. Then you find the New School CFOs, typically younger, who are typically in the small to mid-sized enterprises. These CFOs are well educated and well versed in technology and the need for IT security. We might spend some time with them, explaining the changing threats and pointing out how IoT has exploded and perimeters have become infinite, increasing their risk profile. The CFO of today is usually well aware of the benefits of IT security, they understand that there is growing risk and they have to invest in mitigating it.”