“Traditionally, cybersecurity has been focused on the upfront protection piece,” notes Heather Crofford, the incoming CFO of Enterprise Shared Services for Northrop Grumman, the big aerospace and defense contractor.
That aspect includes the internal controls, employee training, and technology needed to protect the system from hackers getting into the system in the first place. But for Northrop and many other companies “detection, response, and recovery are where the increasing investment needs to be,” says Crofford.
Driving that change is the dawning realization that corporations will never be able to totally seal off their networks from cyber breaches. “Whether we like it or not, hackers will get in – and they do get in, every day,” she says. “The challenge is, yes, to minimize that. But as we get more sophisticated, it’s going to be: How do we operate in an environment if we know they’re in our systems?”
For a finance chief, Crofford has been able to pick up an unusually large dollop of that kind of sophistication. She joined Northrop in May 2014 as CFO and director of business management for the company’s cyber division within its information solutions sector. In her ten months in that role, she’s been in charge of all of Northrop Grumman’s contracts with the Department of Defense and other government and private-sector customers to protect their networks against cyber attacks and mitigate the effects of attacks.
Before joining Northrop Grumman, Crofford worked for more than a dozen years for the Boeing Company, most recently as the CFO of its electronic and information systems division, in a job that similarly combined finance and IT.
At the beginning of March, Crofford’s slated to take over as finance chief of the corporation’s internal services unit, where she’ll oversee information technology and assurance, infrastructure, financial and human resource shared services, accounting, and – most significantly, for a company that often deals with classified federal government information – security.
Weeks before starting her new job, Crofford compared it to her post in the cyber unit. “I have all the external, national security pieces for Northrop, and when I go into my new role, it’s more internal,” she said. “But protecting the network is still one of the biggest pieces.” In an interview with CFO in late February, she discussed her career and expanded on “Cyber Security and The Evolving Risk Landscape,” a presentation she’s slated to give at the March 11 to March 12 CFO Rising East Summit in Miami. Following is an edited version of that conversation.
What are your biggest challenges in terms of cybersecurity at Northrup Grumman?
We have to build our systems to resiliently continue to operate if we’re hacked. That will also involve an offensive piece. Once hackers get in, the attack becomes automated. They’re using a machine-written, automation system that’s going at a speed at which they can shut down your system and exploit and change data extremely quickly. On our end, trying to protect our system involves a human response – so, by default, [it’s going to be slower.]
How do you plan to operate in that environment?
Part of it is investment in what we’re calling resilient systems, which have capability built in to identify and detect attacks quicker. They can provide the analysis to help us understand what hackers are doing so we can respond. In terms of the available technology, there’s a big emphasis on detection: identifying anomalies and continuously monitoring the system. Once you can detect the threat in your system, the question then becomes, can you live with that, or are there ways that you can deter it? Or, are there ways to counter their response by creating confusion on their end about what you’re doing on your system?
While there are a lot of systems we are looking at, my job is not to decide what the right systems are. It’s to figure out how we are protecting the networks and to work with the CIO, in particular, to insure that we are making the right decisions.
What are you thinking about from a cost perspective when you go in there with your CIO?
The cost/benefit analysis is becoming so much more important. Traditionally, IT protection has just been a line-item in the budget. Now it involves more understanding of the risk and figuring out the tradeoffs in ‘what-if’ scenarios: If an attack happens, what could the financial implications be to our business?
At Northrop-Grumman, we do a lot of classified work in national security, and our reputational risk is huge. For me the issue isn’t trying to figure out what the right amount to invest [in security] is, but knowing that the downside is so significant that you can’t afford to cut corners in this area. So we are actually increasing our cost to focus on more than just protecting the networks.
Traditionally, cybersecurity cost has been focused on that upfront, “protect” piece. If you look at Sony and other well-publicized examples, the protection failed. But the important thing was that they couldn’t respond quickly enough once it did.
That hurts from a reputational standpoint, but also from the perspective of getting the system restored and getting computers back in the hands of employees. I think that increased investment should reflect those risks. When estimating your cyber budget, you need to equally consider the potential cost of detection, response and recovery, and not just protection and defense.
How would you characterize your risk appetite?
It’s extremely low. CFOs need to take a long, hard look at what their risk appetite for an attack like this is. They need to locate areas where hackers can get in and the areas where you can really take a slightly higher risk or a lower risk. In our business – where national security is our business – it’s always going to be extremely low.