Hijacking technology used to be the favorite hobby of benign oddballs. The Max Headroom incident was inexplicable, but harmless. Gary McKinnon may have hacked the Pentagon, but he was hunting for evidence of UFOs. That’s sadly not the case anymore: cyberattacks can and do inflict real damage.
Sony Corporation has become a famous example. In the last few years, it’s suffered no fewer than three high-profile security breaches. The latest – a DDoS attack around Christmas – was an inconvenience, the fallout being five days of network outage and a few irate gamers. The 2011 PlayStation Network hack, however, resulted in a mass data harvest – and a $15 million settlement for those affected. And, of course, there’s last year’s infamous attack on Sony Pictures, which saw sensitive emails made public, major films leaked early to torrent sites, and its co-chair step down.
Hacking is a weapon – it has become a business-critical issue costing companies millions, which very much puts it in the domain of the CFO.
The argument from some quarters is that outsourcing your protection is the way forward. For CFOs, it’s easy to see the appeal of making the process of protecting your infrastructure another number on a balance sheet. Unfortunately, while it’s simpler in the short-term, it’s hard to know in advance that your managed service provider (MSP) will get cybersecurity right. With many data breaches occurring as a result of poor outsourcing decisions, it’s a risk that many boards aren’t prepared to take – we have even seen some situations in which a company has had to buy back its own data from a legacy MSP.
Building an in-house security operations center, or SOC as it’s more commonly known, can be a resource-intensive process. But managed correctly, it can safeguard your business-critical data and your bottom line.
To Integrate or Not
The first decision a CFO should make is whether or not in-house security should be integrated with the rest of the IT department. For smaller businesses, this might be unavoidable: for medium-to-large enterprises, however, it’s worth thinking about.
A dedicated SOC has many benefits, chief among them that your business owns its data and knows what’s happening with it. It gives you in-depth control over your IT security and enables your company to make the best use of its application performance. But an SOC does require security-specific hires, the most important of which has to be a well-pedigreed Chief Information Security Officer (CISO) with a well-developed c-level skillset to report to yourself and the CIO/CTO.
Once you’ve appointed a CISO, get her or him to educate the board. A company’s leadership team doesn’t need to know the intricate detail, but does need to know that mission-critical data is protected and security is designed to support the business’s growth objectives. The CISO will also manage the SOC through the installation and implementation phase, before appointing the analysts who monitor the network for suspicious activity and potential security issues.
The big challenge for CFOs is that security can be expensive. It’s possible to spend a lot of money, and there’s no guarantee you won’t be breached. The most important thing is that CFOs realize the role of the CISO is now a strategic one. IT security should be a business enabler, and the role of the CISO should be less focused on the technical and more on strategy and stakeholder management. Understanding how security can help a business achieve its objectives and overcome organizational challenges is key to the CISO role.
Being unprepared for cybercrime can have a direct impact on the bottom line and share price. If you’re seen to be vulnerable, shareholders will panic. Luckily, this is avoidable, and if you’re thinking about it now, chances are there’s still time to take pre-emptive action. CFOs who understand the security risk and how to mitigate it can save money, time, and energy – and prevent long-term damage to their business infrastructures.
Simon Kouttis is the technical lead at Stott and May, an executive search firm.