Special Report: Managing Cyber Risk

Although a brave new world of corporate sharing of cyber threat information is arising, there are still concerns about government involvement.
David KatzFebruary 24, 2016

When President Obama signed the Cybersecurity Information Sharing Act of 2015 late last year, the outlines of a new, highly complex relationship among corporations and federal and state governments began to emerge around the issue of how the public and private sectors would interact to manage cyber risk.

2016_02_SR_CyberRisk_IntroGraphicAs “Share and Share Alike,” the lead article in CFO’s special report on managing cyber risk notes, the notion that corporations should band together and share information about threats to their networks is nothing new. The advantage in terms of speed in catching black hats if companies tip each other off is obvious. In fact, companies have been alerting each other within industry groups since 1998, operating under the wing of the federal government as Information Sharing and Analysis Centers (ISACs).

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Outside the realm of ISACs, smaller efforts to share data on potential cyber attacks are cropping up.  In January, Proofpoint, a firm that sifts through corporate emails to catch hackers for corporate clients, and Palo Alto Networks, which builds firewalls, launched a partnership in which they would be “sharing data in real time” to make each of their products more effective,  Proofpoint CFO Paul Auvil says in an in-depth interview. Neither firm’s product is “infallible,” he adds.

For certain tech companies– most notably Apple– however, wide-scale, national information sharing under CISA represents a threat to their reputations as protectors of their clients’ privacy. Increasing government cybersecurity mandates are on tap as well, most notably in the financial services area, write lawyers John B. Kennedy and Michael T. McGinley.

“This year, expect regulators to hold companies accountable for their cybersecurity failings,” they add. “Since CFOs play a critical role in ensuring their companies are able to meet these expectations, they should stay informed about these developments.”

Further, finance chiefs will be knee-deep in determining what their companies’ cybersecurity strategies – and spending – will be, writes Patrick Morin, describing a free new tool available from the federal government available from the federal government that will help CFOs assess the vulnerability of their companies to an attack.

“Specifically, the CFO needs to understand the relationship between cyber threats and the investments needed to mitigate them,” he writes. The tool “can go a long way to helping finance chiefs to grasp that relationship at their companies.”