The Day I Used Math to Beat the CFO: A CISO’s Tale of Budget Cuts, Bankers, and the FAIR Model

It was one of those drizzly Mumbai Mondays, traffic crawling like extras fleeing doom in a gritty apocalypse movie. The boardroom of Bharat Srestha Bank (BSB) matched the weather perfectly—gloomy and tense.

Prajesh Mantri, CEO and usual hype machine, had that “kuch toh gadbad hai” expression, dead serious, tapping the marker like a gavel in filmi court. ““sab theek nahi lag raha,” he muttered in an edgy and strained voice. “Europe war ne bazaar hila diya—Board’s chopping 10% off every department’s ops budget, right now, no kidding”.

Everyone at the table went “Arre yaar…” in unison. I sat at the far end, clutching my notepad like a life raft. My presentation was last on the agenda, knowing that I wasn't there to offer cuts. I was there to ask for a fresh ₹5 Crores for three critical security technologies: Zero Trust Network Access (ZTNA), Data Security Posture Management (DSPM), and Extended Detection and Response (XDR).

Vikram Bhatt, CFO who tallies compound interest in his sleep before Excel boots up, shot me a look. He knew I was about to ask for money. Glasses fixed, he looked ready to pounce like a street cat on a stray fish. Our CRO Meera Sharma scooted nearer, murmuring, “Venu, RBI breathing fire on resilience, DPDP penalties scary as hell. Prajesh in full cost-cutter mode though. Best of luck.”

I took a deep breath. The old way of pitching security—"If we don't buy this, scary hackers will get us"—wasn't going to fly today. Vikram would eat me alive.

I needed a new weapon. I needed the FAIR Model.

The Ghost of Vendor Pitches Past

My journey to this moment began weeks ago, drowning in vendor pitches.

Take Sudheer from “Valuewallah Cyberpoint Solutions” —solid fellow, great looks in suit, but pitching like he’s reading from a bad script. He was trying to sell me ZTNA to replace our aging VPNs.

"Venu Saar!" Sudheer had boomed in my office, extending his hands. "This ZTNA is military-grade! It’s AI-powered, blockchain-enabled, and quantum-ready! It creates a micro-segmented network access paradigm shift! Only ₹2.5 Crores a year! Look at the list of banks we have onboarded recently. Your folks did a successful POC too and I managed to get the best price from HQ after your gruesome negotiation"

"Sudheer," rubbing my temples, "If I tell the CFO sab Vikram ,that we need a 'micro-segmented network access paradigm shift' for ₹2.5 Crores, he will shift me out of the building. What problem does it solve financially for me to sell it further to him?"

Sudheer blinked. "But Sir... it's military-grade. Used by all prominent banks.. except military (whispering in soft tone)!" The problem was clear. Vendors sold features. Board bought Risk Reduction. I had to translate.

The Revelation: Factor Analysis of Information Risk (FAIR)

I spent the weekend chugging my sulaimani chaya and nerding out on the FAIR model. Eureka moment—FAIR ditches the vague “high/medium/low” risk nonsense and makes you slap real rupee numbers on those nightmare scenarios.

The core formula was deceptively simple:

After chewing on FAIR case studies from CISO gurus and cybersec think tanks for a bit, it struck me—like that Malayalam flick “MonkeyPen,” where the kid hero fixes his tiny worry by scribbling a massive line right next to it.

My job was not to ask for ₹5 Crores for these solutions. My job was to show that not spending it would cost us ₹50 Crores.

The Boardroom Showdown

Back in the boardroom, Prajesh woke me up to reality. "Alright, Venu. Make it quick. Tujhe yaad hein na budget cuts ke barre mein."

I stood up and projected a single slide. It didn't have pictures of hackers in hoodies. It had a number: ₹14,400 Crores.

"This," I said, "is 80% of Bharat Srestha Bank's annual revenue. It flows entirely through our digital channels and systems—NetBanking, UPI, Mobile & Loan app. My job isn't fixing firewalls; it's ensuring this number doesn't hit zero for even an hour. Because if it does, we lose about ₹1.64 Crores every sixty minutes."

Vikram the CFO leaned forward. I was speaking his language now.

"To protect this revenue engine in this geopolitical climate," I continued, "we need to make three strategic investments (without pausing or looking at them) and I used the FAIR model to prove they aren't costs; they are savings."

Battle 1: ZTNA vs. The "Open Door" VPN

"Firstly," I said, "Our 15-year-old VPN technology. Currently, when a vendor logs in, they get access to our whole network. It’s like giving the plumber the keys to the gold locker when he is there to just fix the bathroom sink."

• The Vendor Quote (Sudheer's "military-grade" ZTNA): ₹2.5 Crores PA.

"Vikram, here is the FAIR math," I pointed to the screen.

1. The Threat: Ransomware entry via compromised vendor credentials (Lateral Movement).

2. Frequency: Given the financial sector targeting, there's a 20% chance of a major incident this year.

3. Loss Magnitude: If core banking goes down for 48 hours + RBI penalties + Reputation hit. Conservative impact: ₹100 Crores.

4. Current Annualized Risk: 100 Cr×20%=₹20 Crores per year liability.

"Public survey reports show 1,594 third-parties worldwide got breached in 2024, costing about $6.4M total,” I added. “Switch to ZTNA, and we slam those doors shut—even if a vendor is hacked, they can’t wander inside. Odds plunge to 2%, risk reduced to just ₹2 crores". I looked Vikram right in his eye. "I am asking for ₹2.5 Crores to eliminate ₹18 Crore liability from your books. That is a 620% Return on Security Investment (ROSI)."Vikram didn't smile, but he stopped clicking his pen. I smelled a win there.

Battle 2: DSPM vs. The DPDP Hammer

Meera, the CRO, interjected. "Venu, my biggest worry is the new Digital Personal Data Protection (DPDP) Act. The penalties are insane—up to ₹250 Crores."

"Exactly, Meera," I nodded. "Right now, we have 'shadow data'—customer PII hidden in test environments , front end, operation and backend team's endpoints and the instances spun by our partners in the cloud. We don't even know it's there."

• The Investment: Data Security Posture Management (DSPM) to auto-discover this hidden data.

• The Quote: ₹1.2 Crores PA.

  
  

"Let's apply FAIR," I said, looking at Vikram.

1. The Threat: A leak of unmanaged PII data ("Shadow Data").

2. Frequency: High. We find new shadow buckets weekly. Let's say 30% chance.

3. Loss Magnitude: DPDP fine + Class-action lawsuits. Let's be conservative: ₹50 Crores (I am not even considering 250 crores)

4. Current Annualized Risk: 50 Cr×30%=₹15 Crores.

"The DSPM tool finds this data so we can lock it. The risk probability gets reduced to 5%. The annualized risk drops to ₹2.5 Crores."

"This ₹1.2 Crore investment yields a 941% ROSI," I concluded. "Meera, this isn't software; this is Regulatory Insurance." Meera nodded vigorously. "Vikram, we cannot afford a DPDP violation right now. The regulators are looking for the first bakra."

Battle 3: EDR vs. The "Cheaper Alternative"

Vikram finally spoke. "Fine on those two. But this last one. You want to replace our Antivirus, which costs ₹70 Lakhs, with 'Extended Detection and Response' (XDR) for ₹1.3 Crores. That's nearly double the cost, Venu. Why?"

This was the toughest sell. The financial ROSI wasn't as spectacular.

"Vikram, remember the world-class Security Operations Center (SOC) we built last year? The 24/7 monitoring team?"

"Yes, very expensive," Vikram grumbled.

"Right now, our old Antivirus is blind to modern attacks. It only stops things it already knows. If a new Russian wiper malware hits us, it will dwell in our network for an average of 45 days before we find it. The damage would be catastrophic—easily ₹15 Crores in cleanup."

"The new EDR," I explained, "gives our SOC team X-ray vision. They can see the attack and kill it in under 4 hours. The damage is contained to maybe ₹50 Lakhs."

"The direct financial ROI is lower here, only about 11.5%," I admitted honestly. "But think of it this way: We bought a Ferrari (our SOC team), and we are currently putting kerosene in the tank because the old AV is cheap. The ₹60 Lakh difference for EDR is high-octane fuel that makes the whole engine work.". CFO unimpressed, back to clicking that pen like Morse code for “not convinced yet, yaar.”

The Final Twist: The Insurance Broker

The room was quiet. Prajesh the CEO leaned back. "It's a lot of money in tight times, Venu. ₹5 Crores is significant."

"There is one more thing, Prajesh," I said, pulling out my ace card. "You know how our cyber insurance premiums skyrocketed last year, and the broker capped our coverage at only ₹50 Crores because they said our controls weren't mature enough?"

They all nodded grimly. That renewal meeting had been painful.

"I took this FAIR analysis to our insurance broker yesterday. I showed them the math on ZTNA and DSPM. I proved we are reducing the exact risks that cause the biggest claims—ransomware and privacy fines."

I dropped a letter on the table.

"Based on our commitment to these three investments, the underwriter has agreed to classify BSB as a 'Preferred Risk' client. They are dropping our premium by 18% next month, and they have agreed to raise our coverage limit to ₹100 Crores."

Vikram snatched the letter. He pulled out his phone calculator. He ran the numbers.

A slow smile spread across the CFO's face.

"Prajesh," Vikram said, looking up at the CEO. "The premium savings alone cover almost 40% of the cost of these new tools in year one. And the risk reduction numbers... they seem convincing."

Prajesh Mantri stood up and buttoned his jacket. "Venu, you've managed to ask for ₹5 Crores during a budget cut and made the CFO smile. Approved. Get it done. And keep that digital revenue engine running."

I walked out of that boardroom exhausted but relieved. The rain had stopped and I badly needed that sulaimani from Ahmed's tea stall right across the street.

While sipping my sulaimani, I realized something crucial: Being a CISO in modern times isn't just about knowing how to stop the bad guys. It's about knowing how to do the math that lets you buy the weapons to stop them.

----------------- Tail End ----------------

The boardroom cleared out, leaving only the smell of stale coffee and the hum of the air conditioning. I collapsed into my chair, loosening my tie.

Sarath, my Deputy CISO—a brilliant guy —walked in. He looked at the "Approved" stamp on the budget file.

"You pulled it off," Sarath said, sounding surprised. "But Venu... I have to ask. I saw your slide. You claimed a 20% probability of a ransomware attack via VPN, dropping to 2% with ZTNA. Vikram bought it, but... did you just make those numbers up?"

I laughed. "Sit down, Sarath. If I made them up, Vikram would have eaten me for lunch. It’s a Calibrated Estimate."

I flipped my laptop around to show him the "Hidden Slides"—the ones I kept in reserve just in case.

1. Where did the 20% come from? (Threat Event Frequency)

"Look," I pointed to the data. "I didn't guess. I used the FAIR formula: Loss Event Frequency = Attempts × Vulnerability."

"First, the Global Base Rate: The Verizon DBIR and Sophos reports show that about 24% of financial organizations get hit by ransomware annually where compromised credentials are the root cause. That’s our starting point."

"But," I tapped the screen, "we aren't 'average.' We implemented MFA last year. Industry data suggests MFA reduces the success rate of credential stuffing. So, I applied a 4% discount factor to our risk."

"24% (Global Avg) - 4% (Our Control) = 20% Probability."

Sarath nodded slowly. "Okay, that's defensible. But the drop? You claimed ZTNA brings that risk down to 2%. Why? Why couldn't we just tighten our Firewall rules to get the same result? Firewalls are free; ZTNA costs ₹2.5 Crores."

2. The Drop to 2% (The "Guard vs. Escort" Theory)

"This is where the 'Control Efficacy' variable comes in," I explained.

"Sarath, think of our current Legacy VPN + Firewall setup like a Security Guard at the our office campus. Once he checks your ID (Login), you are inside the campus. Sure, we try to lock the building doors (Firewall Rules), but we have 15,000 rules. Admins leave doors propped open for troubleshooting all the time. Once a hacker gets past the VPN, they have 'Line of Sight' to everything. They can scan. They can move laterally. The Vulnerability is high—let's say 90% success rate once they are in."

"ZTNA is different. It’s not a Guard at the Gate; it’s a Personal Escort."

"With ZTNA, the user logs in, but they don't see the campus. They are blindfolded and walked directly to one specific room (the App), allowed to do their job, and then walked out. They never see the Core Banking Server. They can't run Nmap scans. They can't jump to the Domain Controller."

"By removing that 'Line of Sight,' we shrink the attack surface by 99%. Even if they steal the credentials, they are trapped in an empty room."

"That," I finished, closing the laptop, "is why the probability drops from 20% to 2%. We aren't paying for 'better blocking'; we are paying to eliminate the Vulnerability of Lateral Movement entirely."

Sarath sat back, processing. "So, you didn't sell them a firewall upgrade. You sold them a lower 'Probable Maximum Loss'."

"Exactly," I smiled. "Now, pleasecall the vendor. We have an implementation to start."