CFO Insights: Sam Wolff of Domestika on How Current Macroeconomic Conditions Affect Key Security Decisions

Organizations across the globe are tightening their financial belts as economic conditions continue to fluctuate. Cybersecurity spending is often shielded from significant budget cuts as the exposure to risk poses a greater cost than the technology itself. In fact, Gartner predicts that end-user spending on both security technology and services will see an annual growth rate of 11% over the next four years. However, the need for these programs does not always make cybersecurity immune to cutbacks. Leadership will assess the overall value of each tool in their security toolbelt and weigh it against their other options. One area cuts should never be made, though, is skilled security personnel. Talent is already difficult to find in this industry and retaining qualified workers is a task that should not be taken lightly.

As you can see, there are many factors to consider when evaluating overall profitability and internal budget. In order to gain more clarity in these areas, we spoke with a few key Chief Financial Officers in the industry.

This blog is the first in a new series of articles in which I’ve interviewed CFOs to gather their insights and advice about current macroeconomic conditions. My first discussion was with seasoned CFO Sam Wolff.

Wolff discusses his thoughts on the current macroeconomic environment as well as key considerations for CISOs as they prepare budgets for their CFOs next year.

Currently, there are mixed indicators as to the health of the economy. While employment numbers have improved and inflation seems to be slowing, the last year has seen inflation exist across almost every industry. According to Wolff, financial uncertainty will continue for the next few quarters, indicating that companies should be cautious about where they invest and how they invest. Every company, particularly those in the startup environment, needs to be diligent about their economics, ensuring a path to profitability and ultimately an independently funded business model.

Across all industries, CFOs are facing difficult decisions about where to make cuts and where to increase their investments. In Wolff’s experience, headcount is the largest expense and typically contributes to about 70% of total costs. Finding ways to align this headcount expense with growth trajectory while also protecting key talent is the first place companies would look.

Real estate is another significant cost driver. With the recent transformation to a remote-first work culture, this is another major material savings avenue for organizations that may be spending a substantial amount of their budget on a physical shared workspace. Of course, it’s important to balance this cutback with the company's overall culture. If there are ways to maintain that culture effectively and remotely, this should be explored.

Technology is another expense that should be assessed in the overall budget. Regular evaluations of the tools in use should be conducted to determine ROI and effectiveness.

Speaking of technology, there are a few key segments that will be met with a more critical eye. According to Wolff, there will be a harder look at SaaS spending, leading to internal hygiene exercises on whether there are multiple tools doing the same thing or a high overlap of capabilities. Conversely, products that help with revenue growth will likely continue to get approval/preference over others.

Security risk and compliance is an area that is likely to (and should) retain priority. However, that doesn’t mean that there won’t be discussions about how much risk any company is willing to take. It is possible that the risk appetite will increase to accommodate the budget pressures, meaning companies don’t take the worst-case risk scenario for budgeting exercise but more of a middle-case scenario that’s more accepting of certain risks.

Wolff also predicts increased investments in technology that remove or minimize manual operations, so that new employees don’t immediately need to be hired in the current conditions. This also frees up the bandwidth of existing employees so they can focus on higher-priority (and higher revenue-producing) tasks.

We asked Wolff to dive a bit deeper into the specifics of how he believes security spending will be affected in the current macroeconomic environment. He suggests there will be a multitude of factors that come into play. First and foremost, spending will depend on the company as each organization has its own risk appetite. Secondly, risk probability matters. If the CISO says that there is a one in a thousand probability of a vulnerability hitting the company versus one in a million, the former will likely get prioritized by the CFO. The other dimension is that the probability might be low but the impact could be very high. It could lead to millions of dollars in losses, brand reputation loss, bad PR, etc. that would contribute to the decision-making for onboarding tools or investing in current ones.

New vulnerabilities that are impactful but aren’t currently protected against would also receive priority, as CFOs are beginning to understand that adversaries and threat actors are continuously evolving their tactics. As stated previously, Wolff also believes that tools and products which help reduce manual processes will be preferable as headcount is an organization's most significant cost.

Finally, Wolff offered a few valuable pieces of advice for CISOs as they work alongside their CFOs on financial priorities.

He suggests four key tenets to accelerating the budget alignment and approval:

1. Align with your CFOs by speaking a common language. CFOs understand risk and tradeoffs well, so present your security plan in that light.

2. Rank your risk areas and clearly (in non-jargon way) explain the impact of the risk area on the company, the coverage, and how the investment will help mitigate the risk.

3. Keep it simple and help your CFO understand the whole picture. Also, CFOs won’t have context on security risk areas, so be sure to take the time to educate them. This will help you gain alignment, context, and allow for a faster approval process.

4. Come to the conversation with a realistic mindset that all of the asks won’t get funded.

Implementing these best practices with your CFO is crucial to having a successful conversation about prioritizing security technology and ensuring a prosperous financial future for your organization.

When it comes to cybersecurity technology, particularly in the current economic environment, CISOs must evaluate the best tool for their organization through a variety of lenses. Here are a few reasons why CISOs have chosen Abnormal as their solution.

"Needed a sophisticated anti-phishing solution—abnormal was it." —CISO (Industry: Insurance)

"Excellent email security platform that catches more than traditional SEGs." —CISO (Industry: Provider)

“Before [Abnormal], the process was quite manual, cumbersome, and required a lot of human involvement which — to be brutally honest — is flawed. Human beings make mistakes.” —Global Technology Services Director, Commodities

“I’m comfortable saying Abnormal Security is blocking 99.999% of all that bad email.” —Chief Information Officer, Fintech

“At the end of the day, we can take a good chunk of our focus off what we consider to be a major attack vector for us and put it to other avenues.” Cybersecurity Manager, Manufacturing

Interested in learning more about how Abnormal can protect your organization?