Imagine a scenario where your company's operations grind to a halt, sensitive data is exposed, and customer trust is shattered — all because of a cyberattack. This isn't just a hypothetical situation; it's a reality that businesses of all sizes face in today's increasingly digital world. CFOs, with their unique understanding of financial risk and strategic planning, must champion cybersecurity initiatives and weave them into the core of their business strategy.

The Cyber Security Agency of Singapore has issued stark warnings about the rising threat of cyberattacks, and the Personal Data Protection Act (PDPA) sets stringent standards for data protection. In this environment, CFOs must prioritise cybersecurity investments that deliver a tangible return on investment. Failure to do so could jeopardise critical assets, disrupt operations and severely impact the bottom line and shareholder value.

One of the main challenges in securing cybersecurity investments lies in the nature of cybersecurity itself. It's difficult to quantify its value proposition until a breach or attack occurs. This leads many CFOs to struggle when justifying the allocation of resources towards cybersecurity initiatives to their stakeholders.

However, a recent roundtable by FutureCFO in partnership with Okta shed light on how CFOs can overcome this challenge. Financial executives from leading Singaporean companies emphasised the importance of treating cybersecurity as a strategic investment, similar to critical CAPEX projects, and offered insights on securing funding for these essential initiatives.

Understanding the importance of cybersecurity investments

In today's digital age, cybersecurity is not just an IT issue but a core business imperative. A single cyberattack can severely impact a company's reputation, disrupt operations, and lead to significant financial losses, potentially requiring unplanned write-downs or impacting EBITDA.

"As a CFO, cyber threats and cyber resilience probably wasn't something you were focused on three years ago. Now, you're probably scrutinising your cyber insurance premiums to determine if they're even viable," explained Ben Goodman, Okta's senior vice president and general manager for APJ.

This necessitates collaborating with IT and security teams to identify and assess risks, developing a comprehensive cybersecurity strategy that aligns with overarching business objectives, and ensuring that cybersecurity investments are appropriately capitalised and amortised over their useful life.

Justifying cybersecurity investments to stakeholders

Justifying the cost of cybersecurity investments to stakeholders is a major challenge for CFOs. Many stakeholders view cybersecurity as an operational expense rather than a strategic investment, impacting the company's short-term profitability.

"So, I look at it in terms of ROI. How can we maximise the return on these investments while achieving our security goals?" said Brett Tighe, chief financial officer at Okta.

This means highlighting the potential financial impact of a cyberattack, such as lost revenue, damage to reputation, and regulatory fines, which can significantly impact the company's valuation. It's also important to emphasise the financial benefits of cybersecurity investments, such as improved operational efficiency, increased customer trust, and enhanced brand reputation, all of which contribute to long-term shareholder value.

Justifying these investments is further complicated by a fragmented cybersecurity landscape. "Technology keeps changing, and there are so many vendors and products that can be quite confusing," noted a delegate to the roundtable.

However, companies do not have the option of sitting on the sidelines. "It's more about what happens if you don't invest, rather than what you directly gain from it," said Darrell Tan Yuan Ching, head of Investment Management & Hotels at Guocoland.

Still, Guocoland’s Tan urged CFOs to take a mid- and long-term view when investing in cybersecurity and working with the IT team to ensure alignment with the existing tech stack. "That's actually quite tricky because if it doesn't fit, it is just a sunk cost."

Okta’s Tighe acknowledged that different companies have different risk profiles and priorities regarding cybersecurity. The vital part is balancing security with usability. "You can have the greatest security on Earth, and it just makes your employees hate their life. On the other end of the spectrum, if you don't have any security... it exposes you. I would think about where you want to be on that spectrum. Not all companies are the same," he explained, pointing to the NIST framework for consideration.

Finding the right balance is never easy

To effectively measure the ROI of cybersecurity investments, CFOs need to develop outcome-driven metrics that link these investments to business value and operational efficiency. This means going beyond traditional metrics, such as the number of security incidents, and focusing on metrics that measure the impact of cybersecurity investments on business outcomes. Some examples of outcome-driven metrics that the participants discussed:

• Reduction in customer churn due to improved cybersecurity
• Increase in customer satisfaction due to enhanced trust in the company's cybersecurity posture
• Improvement in employee productivity due to reduced downtime caused by cyberattacks
• Cost savings from prevented breaches, reducing the need for unplanned expenditures

"We look at KPIs like incident response time, the potential duration of an incident, and the magnitude of the financial risk that could arise from the activity, and so on," added Atul Kalyanpur, finance director at Travel + Leisure Co.

Ultimately, these metrics are part of CFOs' efforts to frame cybersecurity in financial terms. As one delegate commented cybersecurity is a broad term...after five years, we need to take stock and re-evaluate, especially as the threat landscape evolves.

Regulations are guidelines but not guarantees

The line between compliance and security is blurring. Participants like Travel + Leisure Co.'s Kalyanpur noted that reputational risk, which can severely impact market capitalisation, is a major security concern, more so than the actual fines.

Foo Yoke Leong, the head of Finance of an insurance company, looks at two regulations when assessing his company's security posture. "One is PDPA, where we need to protect our customers' data. We need to make sure that it's secure and nothing leaks out. The second one is the MAS technology risk management guidelines issued to all financial institutions."

But regulations are just starting points. They are constantly being updated, and new ones are being added. "Which is why we need to invest more in cybersecurity insurance," stated a delegate to the roundtable.

For conglomerates, Ng Poh Beng, finance director of Aboitiz Food, urged companies to look beyond cyber insurance. Insurance only covers the financial impact, but there are losses beyond Financials such as Corporate Reputation.

The growing importance of third-party risk management

Third-party risks are not new. However, what is new is how integrated partners have become in modern businesses. This creates an additional cybersecurity concern that CFOs fret about, especially with the spate of supply chain attacks due to identity compromises or theft. And not just companies worry; vendors are also vigilant about it.

"We're testing [our partners] regularly, and we pay security researchers on our team to test and penetrate our systems to see how robust our security posture is," said Tighe.

In response, one delegate suggested to reduce dependency.   to the roundtable suggested a good rule of thumb is to reduce dependency

A good rule of thumb is to reduce dependency, an approach championed by a delegate to the roundtable. "When evaluating suppliers, I ensure that we are not reliant on any single provider. I identify potential alternatives and assess how they can align with our cost strategies, allowing us to switch quickly if needed."

Yet, Lim Swee Keng, group head of Finance at Clifford Capital, believes it still comes down to getting the right balance, and often, the cost is relative. "Yes, cost is always a consideration. But you need to strike a balance between ease of doing business, competing priorities and cost, you can always spend millions of dollars on cybersecurity and have no resources for other things or make the business process more cumbersome. So, it's a delicate balance."

Next steps: maximising cybersecurity investment value

To maximise the value of your cybersecurity investments, it's essential to take a holistic approach that considers people, processes, and technology. This means investing in your employees, developing robust security policies and procedures, and selecting the right technologies for your business needs.

Another overlooked factor is investing in employees and driving cultural change. "So, I think you can see that the important thing is education," says Clifford Capital's Lim.

Another delegate agreed on the significance of cyber awareness within the investment strategy. He noted that in organisations with a large workforce, it's essential to implement cyber security awareness training to enhance understanding and awareness throughout the entire organisation. In their case, they use the opportunity to conduct scenario planning, such as for ransomware attacks.

More importantly, Okta's Goodman pointed out that having the right products, framework, partner, and training drives cultural change. "When cybersecurity impact is well understood at an organisational level, the knock-on effect on the cultural level is visible," he said. And this adds an essential layer of resilience because most attacks are focused on social engineering.

Finally, it's important to remember that cybersecurity is not a one-time investment; it's an ongoing process, pointed out Tighe. As such, businesses must continuously invest in cybersecurity to protect their assets and ensure long-term sustainability and financial health.