Cybersecurity

5 Cybersecurity Questions CFOs Should Ask CISOs

Armed with the answers, chief financial officers can play an essential role in reducing cyber risk.
Bob ViolinoJuly 18, 2022
5 Cybersecurity Questions CFOs Should Ask CISOs
Photo: Getty Images

Even in a shrinking economy, organizations are likely to maintain their level of cybersecurity spend. But that doesn’t mean in the current economic climate of burgeoning costs and a possible recession they won’t take a magnifying glass to how they are spending the money budgeted to defend systems and data. Indeed, at many companies, cybersecurity spending isn’t targeting the most significant dangers, according to experts — as evidenced by the large number of successful ransomware attacks and data breaches.

Without a comprehensive understanding of the security landscape and what the organization needs to do to protect itself, how can CFOs make the right decisions when it comes to investments in cybersecurity technology and other resources? They can’t.

So, CFOs need to ensure they have a timely grasp of the security issues their organization faces. That requires turning to the most knowledgeable people in the organization: chief information security officers (CISOs) and other security leaders on the IT front lines.

Here are five questions CFOs should be asking their CISOs about the security of their companies. 

1. How secure are we as an organization?

This is a tough question to answer but it needs to be asked, if for no other reason than to give the CFO a sense of the level of attacks against the enterprise and what the security team is doing to protect systems and data.

  Michael Gordon

“This is a question that is asked frequently of a CISO, and it’s one of the most difficult questions to answer appropriately,” said Michael Gordon, CFO at software company MongoDB. The ideal CISO response should be, “We have identified our crown jewels and secured them as best we can, given the resources available and the knowledge we have about the cybersecurity landscape as it is today,” Gordon said.

There are several tangible metrics organizations can use to gauge the level of security risk they face. One is to have a sense of how many attacks or attempted breaches the organization has experienced.

“Many non-IT, C-level executives don’t know all the attacks their organization faces,” said Raj Patel, a partner and cybersecurity practice leader at consulting firm Plante Moran. “They only know of the large ones and not the ones that were blocked and resolved quickly. If they have all the data, they might [better] understand cyber spend requests.”

2. What are the main security threats or risks in our industry?

This is somewhat of an extension of the previous question, but it’s particularly important for CFOs in industries that are prime attack targets. Many threats and risks are aimed at specific types of companies such as financial services firms and healthcare providers. In some cases, the actual attacks are designed for specific kinds of systems and data.

  Raj Patel

Knowing the latest trends concerning industry-specific attacks can help CFOs get a handle on what investments the organization needs to make to protect itself and mitigate risks.

“Just because it hasn’t happened to your organization yet doesn’t mean you are immune,” Patel said. “It is just a matter of time.” Understanding what’s going on in the industry can help the CFO assess their organization’s preparedness.

3. How do we ensure that the cybersecurity team and the CISO are involved in business development?

Security has long been viewed by many as a hindrance to innovation and productivity, but it doesn’t have to be that way. CISOs have a place at the C-suite table, and CFOs can work with them to help make security a strategic part of the business.

CFOs should ask CISOs what they can do to help security teams be successful and effective, Gordon said. “This is important to make sure your CISO understands your view of this as a priority and critical to the success of the business.”

Savvy organizations are tackling cybersecurity and data protection issues by infusing cybersecurity efforts and awareness from every perspective and at every level. — Brian Wenzel, CFO, Synchrony

Security must play a significant role in a company’s evolution, business operations, and product development, said Brian Wenzel, senior vice president and CFO at financial services firm Synchrony. “It must be embedded in acquisitions, partnerships, and governance.”

  Brian Wenzel

Savvy organizations are tackling cybersecurity and data protection issues by infusing cybersecurity efforts and awareness from every perspective and at every level, Wenzel said. “They are prioritizing data security in the C-suite to best manage and mitigate risks and threats,” he said.

Historically, security was viewed by many CFOs as a cost center, Wenzel said. “But that’s changing,” he says. “Organizations must view security as a business development opportunity. CFOs should leverage the CISO and security efforts to grow, build, and expand the business.”

4. What are the risks and potential costs of not implementing a cyber control?

Measuring return on investment with cybersecurity spending can be tricky, because the potential return takes the form of something not happening, such as an attack.

Still, it makes sense for CFOs to ask security leaders about the likelihood of a given type of attack occurring, how much it could cost the organization, and how much it would cost to prevent this type of attack.

“It might cost $1,000 to put in a device to monitor your network, but it could save you over $100,000 if you don’t [have it] when an incident happens,” Patel said.

Costs can also take the form of lost business following an attack. 

“Customers and partners expect a great deal from any company working with personally identifiable information,” Wenzel says. He notes that recent research has shown that privacy and data protection failures are a main reason that customers will leave a brand.

5. Do employees understand information security and are they implementing security protocols successfully?

A good percentage of cybersecurity risk stems from insider threats. These are not necessarily malicious actions but are oftentimes the result of negligence or human error. Regardless, organizations need to ensure employees are well aware of security risks and the proper use of technology tools and services.

Russ Porter

Workers need to be trained about what to look for so they can avoid becoming victims of phishing and other attacks, and CFOs should be asking what needs to be done to improve awareness and education.

“That’s the source of significant information leakage from organizations today. Scammers try to use the human element to obtain access to information,” said Russ Porter, CFO at the Institute of Management Accountants, an association of accounting and finance professionals.

Training and awareness need to happen at every level of the organization, including the senior executives who can be the targets of specific attacks.