Published on February 12, 2016
It had been custom for organizations to think of cybersecurity in terms of an information technology (IT) problem best left to IT people to address and fix. However, as more prolific breaches were publicized exposing a variety of sensitive personal, financial, and intellectual property-related data, it became clear that this was a rather myopic view in today’s increasingly interconnected world.
Cybersecurity needed to be a part of the business enterprise and not just an afterthought or complementary side-function. Since most businesses have a public-facing side and are reliant on organization and/or customer patronage, being able to protect their interests as well as the company’s becomes a symbiotic effort underpinned by a solid cyber security strategy. Identifying key information assets and processes and devising the appropriate security apparatus around them is a best-practices approach to securing the most critical components.
An organization’s Chief Financial Officer (CFO) is the individual focused on managing the financial risks that face the company. In this role, the CFO is in charge of financial planning and reporting up the chain as required. The CFO’s role is critical in the planning process particularly with regards to the budget. That individual will have insight into all facets of the organization, key initiatives, and any significant costs that may affect the organization in the near term. They will likely have input into the overall strategy of the company, as well as its vision and mission statement.
It is important that the CFO understand an organization’s cyber security needs by working with the Chief Security Officer and/or Chief Information Security Officer. Helping to educate the CFO on the nature of the threats, as well as their potential impacts against the organization’s business process, production, customer relations, and public perception will better inform them as to how to address security needs within a risk management environment. Since it is nearly impossible for organizations to protect all aspects of their enterprise, working with the CFO to prioritize threats by severity, potential impact, and cost-benefit analysis is an integral endeavor for security personnel looking to receive a budget that fits their needs.
There are some encouraging signs that the gap between CFO and CSO/CISO is narrowing. According to a 2015 survey conducted of 100 U.S. technology CFOs by BDO USA, a leading association of accounting, consulting, and professional service firms, two-thirds said they have increased cyber security measures for their respective organizations since the preceding year.
These findings are not alone. A separate survey conducted by CFO Signals in 2015 found that of 103 CFOs polled, 74 percent ranked cyber security as their top priority, demonstrating that not only are CFOs getting the need to invest in cybersecurity, they are understanding that they have a role in it as well.
After all, there is increasing focus on the C-Suite when breaches have made the news and consumers look for those responsible to be held accountable. In the wake of the Target, Ashley Madison, and Sony breaches that resulted in their respective Chief Executive Officers (CEO) stepping down or being removed from their positions, the major takeaway is that senior officers are not immune from repercussion. This caution extends to all of the C-Suite as well.
A lesson that CFOs can take from these examples is not to cut back on security expenses but be willing to ensure that there is appropriate funding available to ensure requisite security is in place, as the alternative may be to find other employment if post-breach investigations discover that sufficient funds weren’t allocated.
So how does one advocate for the appropriate cybersecurity budget from the CFO? Here are some proactive steps to help the CFO understand your organization’s cyber threat footprint:
- Self-awareness. Helping the CFO understand the organization in terms of the types of goods and services it provides, its customer base, and its global presence brings greater self-awareness to what and how the organization does what it does. This is important in identifying those critical informational assets and accesses that the organization cannot function without, thereby helping to identify and prioritize what needs to be protected.
- Know the threat: For some organizations, they are targeted by all types of threat actors ranging from hacktivists to cyber criminals to cyber espionage teams. Others may be targeted by one group more than another. Knowing the threat, who they are, what they are after, and how they operate will help identify devices and services to implement against them. Taking proactive measures to defend against attacks that target the industry your organization is in will reduce costs associated with breach response, mitigation, and remediation on the back end.
- Invest in the organization’s cyber security strategy. As the CFO has an understanding of budgets, being able to dedicate some funding toward the organization’s cyber security strategy. While some cyber security components are product driven and are integrated into the network architecture, investing in services such as annual penetration testing, frequent user training and education, and testing incident response and contingency planning will better prepare the organization to prepare for risk.
Today’s reality is that C-Suite members cannot operate independently of one another and that the more integrated senior leadership is, the better positioned an organization is to make strategic decisions that benefit the company. Cyber security is no longer an IT responsibility and everyone at the top must assume an important role in safeguarding the organization, its assets, and its customer’s interests. The CFO is a linchpin in this process because by understanding the entire company’s threat landscape, funds can be allocated accordingly using a risk management cost-benefit model tailored to and representative of the company’s needs. CFOs can keep cybersecurity at the forefront of the CEOs concerns where it belongs.