Promoting knowledge of cyber risks and security across organizations is an enterprise-wide challenge for company leadership. CFOs and senior finance leaders are being called upon to help defend against attacks, especially since many of these attacks target financial information, according to Jennifer Louis, an expert instructor for Becker Professional Education and a training firm founder.
Louis discussed with CFO what finance and accounting executives need to do to address cyber threats, shore up cyber defenses, and build cultures of accountability.
Instructor, Becker Professional Education
President, Emergent Solutions Group
This interview has been edited for length and clarity.
JENNIFER LOUIS: Cybersecurity failure is expected to be one of the critical threats the global economy will face in the next two years, according to the World Economic Forum 2022 Global Risk Report. An increase in frequency and magnitude of cyber attacks, data breaches, and ransomware requests has prompted public and private sector responses worldwide to place this issue at the forefront.
In many ways, cybersecurity threats are outpacing the ability to effectively prevent or respond to them. Vulnerabilities can be costly in a variety of ways. Finance is well positioned to quantify and communicate the potential results of any failures to effectively address threats, such as the reputational and economic damage that could occur from a cyber attack.
LOUIS: Understanding cybersecurity in today’s complex digital world begins with knowing what the most common threats are, who the potential “bad actors” are, and what can be done to establish defenses. Finance professionals, who are analytic and experienced in critical thinking, are invaluable to advancing efforts to address cyber risk. Finance and accounting can use their experiences with identifying, evaluating, and determining how to manage financial reporting risks to assist management and those charged with governance with establishing cybersecurity objectives that address cybersecurity risks that could affect the achievement of the entity’s broader, overall business objectives.
Finance professionals, who are analytic and experienced in critical thinking, are invaluable to advancing efforts to address cyber risk. – Jennifer Louis
Cybersecurity risk management objectives will vary, depending on the environment in which the entity operates, the entity’s mission and vision, risk appetite, and other factors. Finance and accounting can use their analytic and critical thinking skills to establish a risk-based approach to cybersecurity risk management.
For example, the finance team can offer informed advice on making the best allocation and use of cybersecurity spending, as many organizations make the mistake of simply throwing cash at the potential problem and hoping it will prevent all threats. The finance team can analyze whether a new technology is a right fit for the need and whether it is the best solution compared to alternatives.
In addition, the finance team can take a role in helping to ensure compliance with regulations such as the General Data Protection Regulation (GDPR) and related legal and regulatory mandates.
LOUIS: Executive leadership can set an example for the organization by building a culture of cybersecurity that ensures employees operate at the highest standards and have the appropriate resources. To support a culture that places a priority on cybersecurity risk management, cybersecurity spending should be seen as more of an investment than a cost.
Executives need to build perceptions that a focus on cybersecurity has a direct and material effect on securing an entity’s ability to achieve broader, overall business objectives.
LOUIS: The leading cause of data breaches is often human error, so better educating employees on how to best secure the organization is critical. The organizational culture should affirm that employees will not be punished for reporting something suspicious or acknowledging where there may be critical skill gaps that need to be closed. Across the organization, evaluate competencies and address any shortcomings through training, reallocation of responsibilities, outsourcing, or other means.
The organizational culture should affirm that employees will not be punished for reporting something suspicious or acknowledging where there may be critical skill gaps that need to be closed. – Jennifer Louis
LOUIS: Communicate how an entity’s established objectives with operations, reporting, and compliance link to and form a basis for resource commitment. For example, all organizations should have a risk security committee that includes a senior finance person and that sets cybersecurity high on its agenda — and resources should be allocated accordingly.