The importance of cyber security is no secret to anyone who watches the nightly news. Senior executives at businesses of all sizes understand all too well that today’s global economy is still not adequately protected against cyberattacks, despite years of effort and spending in the multi-billion dollar range each year. But until recently, many CFOs may not have been considered an integral part of an organization’s security team or understood how to respond to security risks and the implications for their organizations. But times have changed and many CFOs are being called upon to help promote cyber security and identify threats.

CFOs have a major role to play in the daily running of an organization. For starters, they work directly with financial analysts and have concerns over loss of control over their financial reporting. Of course they are also concerned with the potential loss of funds either through good, old-fashioned theft or as a direct result of another third party’s misfortune.

If you think about it, finance chiefs have good reason to be concerned. The information that the CFO controls and works with on a daily basis is some of the most sensitive and important that can be found in an organization. The CFO must understand where the information is at all times, how it’s secured, who might want to steal it, and how hackers might gain access to it. Perhaps most importantly, the CFO has a duty to provide plain, true, and complete disclosure to the board on a wide range of issues. Today, many would argue that they should include the potential impact of cyberattack on the financial standing of the organization.

The cost of a cyber-attack, whether it’s financial or reputational, can be astounding. For CFOs, information security must become a top priority in defending their organization’s future. According to Deloitte’s third-quarter 2014 CFO Signals™ survey, North American CFOs view cybersecurity as a high priority, but there are certainly concerns about implementation of information security plans.

Overall, 74% of 103 CFOs said cyber security is a top priority, while only 6% of those surveyed do not view it as a high priority. Obviously, security threats will continue to be a major business disrupter. This is confirmed by the finding that more than half of CFOs surveyed cited anxieties about security of data, intellectual property, and facilities.

Risk vs. Reward

Business leaders recognize the enormous benefits of cyberspace, yet many are having difficulty determining the risk versus the reward. The benefits of cyberspace come with significant risks, and the threat of cyberattack is firmly at the top of the board agenda.

While organizations are exploiting the business benefits of cyberspace, they may not realize that it confers the same benefits to those who attack those organizations. Hacker groups, criminal organizations, and espionage units worldwide have access to powerful, evolving capabilities, which they use to identify, target, and attack.

Steve Durbin

Steve Durbin

Many of the security activities associated with cybercrime are based on fundamental information security incident management, and are covered under such topics as information security incident management and forensic investigations. But cybercrime often involves sophisticated, targeted attacks against an organization and, as such, additional security measures may be required to respond to specific cybercrime-related attacks.

Cybercrime-related intelligence relating to the development of attacks should be reviewed by the CFO on a regular basis to determine:

  1. The extent to which the organization is at risk of a cybercrime-related attack.
  2. How targeted information could be used by criminals.
  3. The techniques used by criminals to perform cybercrime-related attacks.
Damage to Brand Reputation

Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous and pose more risks to an organization’s reputation. In addition, brand reputation and the trust dynamic that exists among suppliers, customers and partners have appeared as very real targets for the cybercriminal and hacktivist.

With the speed and complexity of the threat landscape changing on a daily basis, all too often we’re seeing businesses being left behind, sometimes in the wake of reputational and financial damage. When a data breach occurs, it’s important to limit its impact and the potential impact on the organization’s reputation. CFOs need to ensure they are fully prepared to deal with these ever-emerging challenges by equipping their organizations better to deal with attacks on their reputations. And the faster you can respond to these attacks on reputation, the better your outcomes will be.

From Employee Awareness to Embedded Behavior

Organizations continue to heavily invest in developing human capital. The implicit idea behind this is that awareness and training always delivers some kind of value with no need to prove it – employee satisfaction was considered enough. This is no longer the case.

Today’s CFOs demand return on investment forecasts for the projects they have to choose among and awareness and training are no exception. Evaluating and demonstrating their value is becoming a business imperative.

Finance chiefs understand that spending a small amount up front could very well save the organization a great deal in the event a breach occurs. Unfortunately, there’s no single process or method for introducing information security behavior change. That’s because organizations vary so widely in their demographics, experiences, achievements, and goals.

The time is right, and the opportunity to shift from awareness to tangible behaviors has never been greater. CFOs have become more cyber-savvy, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management. Moving to behavior change will provide the chief information security officer with the ammunition needed to provide positive answers to questions that are likely to be posed by the CFO and other members of the senior management team.

Do I Really Need Cyber Insurance?

Of the 970 financial professionals who attended the AFP conference in Washington last November, and responded to a survey, 62% said that their organization has been subject to either an actual or attempted cyber-attack at least once over the past year. Only 15% of financial professionals responding to the survey said their companies have upped the amount of cyber insurance carried. Is cyber insurance necessary?

Privacy exposure has been a key motivator for some organizations to purchase cyber insurance. Others are motivated by growing regulatory exposure. It’s no longer just the organizations that we’ve traditionally focused on, including financial institutions, retail, health care, and higher education. Those industries have been buying insurance for a long time. The health care industry has been a particularly large buyer of cyber insurance, stemming from the enormous volumes of customer data health care outfits must handle. I’m also seeing players in a number of new industries, such as manufacturing and supply chain, who are purchasing cyber insurance because of regulatory concerns.

But remember: cyber insurance is no replacement for sound cyber security and cyber- resilience practices. On the contrary, well-resourced compliance practices can often positively reduce the associated premiums for cyber insurance.  Further, finance chiefs need to look very carefully at the small print – many policies don’t cover state-sponsored attacks and may not provide you with the full financial cover that you would wish.

 Is Cyber Security Enough?

Far too often, organizations implement measures to prevent cyberattacks in response to a data breach. A meticulous CFO can save the company the embarrassment and financial impact of a major breach by taking proactive steps in anticipation of targeted attacks. Companies should take the time to develop a data breach response program. The must also rehearse various scenarios before an incident occurs.

But establishing cyber security alone is not enough.

Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Organizations must extend risk management to include risk resilience, in order to manage, respond. and mitigate any damaging impacts of cyberspace activity.

Cyber resilience anticipates a degree of uncertainty. It’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace.

It encompasses the need for a prepared and comprehensive rapid-response capability. That’s necessary because organizations will be subject to cyberattacks regardless of their best efforts to protect themselves. Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.

In the past, while the CFO has not been viewed as a vital member of the security team at most global organizations, they play a significant role in advocating for and pursuing critical investments that promote long-term business growth. Given the risks that cyber security threats pose in a technology-driven, global economy, today’s CFO must focus on cyber security to ensure that adequate steps are taken to preserve and protect the company’s reputation, stock price, and most valuable information properties.

Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, bring your own device, the cloud, and social media across both the corporate and personal environments. Previously, he was a senior vice president at Gartner.

, , ,

8 responses to “The CFO’s Role in Cyber Security”

  1. You carry on talking about it; we’ll carry on developing around the problem. Oh! I forget, we already have… 🙂

  2. Information Security/Information Risk Management is treated as the bastard step-child in most organizations and especially in startups. Worked for a startup briefly and found out that they made me the Director of Security solely to get their next funding. Everything that was stated in the interviews, the job description, their five year plan, the building out the security department was all a lie. They ended up, after I left, getting acquired through lying and falsifying documentation about their technology. Amazing how big companies buying startups can easily be fooled by dressing up. Chocolate on crap is still crap!

Leave a Reply

Your email address will not be published. Required fields are marked *