This article was originally published on the Innovation Enterprise Channel.
The CFO has to ask the hard questions: What cyber security initiatives will give us the best return?
Cyber security, once thought of as the exclusive domain of a specialized subset of the IT department and possibly under the purview of a Chief Security Officer, is influenced today to a large part by the CFO.
In a recent CFO Webcast titled ‘Five CFO Best Practices for Keeping Your Enterprise Cyber-Secure’, I had an opportunity as a panelist to bring some of the most pressing issues on cyber security to light.
Security professionals tend to be paranoid. That is their proper role, and we are all safer because of it. But their tendency is to want to fix everything, no matter how small or insignificant the risk may be – and as the threat profile grows and the number and type of threats proliferate, it is up to the CFO to be the skeptic in the room. The CFO has to ask the hard questions – what cyber security initiatives will give us the best return? As the threat landscape evolves, we must respond in such a way as to make the most important investments first, rather than trying to fix everything at once – an approach that is overwhelming and quite possibly unachievable.
Despite the essential role Finance should play in cyber security, a poll taken during the Webcast indicated that just 31.3% of attendees agreed that their finance team had the skills, training, and resources needed to mitigate and respond to data breaches. Slightly more, or 34.9%, disagreed with that statement.
Clearly, the old model of IT being an independent authority with the ability to ask for money ‘because we need it’ and without justification is over, and the CFO needs to have a deeper understanding of the cyber security realm, and the risks and rewards involved in each and every cyber security initiative. The Finance team is in a great position to attend to this pressing need, since – if Finance is operating properly – it already is in communication with every other line of business within the organization. The people who write the checks are always in the best position to ask questions! The first place to start in achieving the best possible cyber security will lie with the CFO building cross-functional collaboration and cooperation with the business’s cyber security strategists.
Part of that collaboration is building an incident response plan. While the tactics may rest with IT, assigning priority based on actual risks is the role of the CFO.
That’s always a hard task, and the best practices for the CFO will be to assess the financial impact of a potential data breach, and whether there are hidden and indirect costs that may include a loss of market share, defection of employees, or reduced ROI. A data breach or cyber attack naturally has several very immediate effects, many of which hit the bottom line almost immediately. Imagine, for example, a retailer being attacked on Black Monday – the financial losses would be enormous. But nonfinancial impacts also have to be taken into account. There could be, for example, a loss of customer trust, harm to reputation, and a decline in the value of a brand.
An especially relevant topic in the realm of cyber security is the cloud, and participants in the session asked insightful questions about cloud-based cyber security. This is often the source of misunderstanding on the part of people who feel that the cloud is less secure, which is not the case. Usually, cloud service security is as good as, if not better than, most organizational information security. Those problems that do exist are largely located at the cloud edge, and enterprise security teams need to become more familiar with how they are connecting to the cloud, rather than security of the cloud itself.
It’s up to the CFO’s office to bridge the gap that often exists between security and the lines of business, ensure that adequate resources are being devoted to the right areas of cyber security, and especially to play the role of skeptic in seeking realistic risk assessments as part of allocating resources.