Empowering the CFO to Champion Cyber Risk Management

CFOs play a pivotal role in determining the cyber health of a company and ensuring cybersecurity investment matches potential risks.
Saket ModiSeptember 12, 2022
Empowering the CFO to Champion Cyber Risk Management
Photo: Getty Images

We are collectively experiencing the side effects of a disruptive geopolitical conflict that is influencing the ongoing inflation cycle. World economies will continue to be impacted by the consequences, but global organizations have ample opportunities to redirect and distribute their finite resources. However, the one function that organizations cannot afford to negotiate down is cybersecurity. 

The CFO can play a pivotal role in determining the cyber health of an organization, answering critical questions such as:

  • Where should we make investments?

  • What is our return on security investment?

  • Is our current cyber insurance coverage enough?

  • What is the financial impact of a potential cyber attack?

  • How can we reduce our cyber risk?

How can a CFO answer these questions? One place to start is enabling the chief information security officer’s team to represent cyber risk in the terms and context a finance chief can analyze and digest.

To date, this has been a massive obstacle for security teams to prove their value to business leadership. Never before has the need to measure, manage, and mitigate cyber risk in a business context been a key point in the boardroom agenda.

Experience measuring financial risk makes CFOs valuable stakeholders in making informed cybersecurity decisions to accept, mitigate, and transfer risk.

Risk has been measured for decades in insurance and financial services and to solve conundrums such as: What is the likelihood of a loan’s repayment based on certain pre-identified parameters? Will an individual claim their accident coverage? What is the risk a company is undertaking? It is this long history of financial risk management, plus a combination of experience and expertise that makes CFOs a valuable stakeholder in informed cybersecurity decisions that accept, mitigate, and transfer risk.

Converging Teams to Build Cyber Resilience

The recently proposed U.S. Securities and Exchange Commission guidelines, and other regulatory standards, all indicate maintaining or increasing cybersecurity investments. Unlike other aspects of other technology sectors, it has an outside driver: threat actors. It is no surprise several experts believe cybersecurity spending will remain one of the top priorities of businesses, even if countries enter a recession.

Because an economic recession does not imply any shrinkage in the attack surface of an organization, this leaves the challenging aspect of resource redirection up to the chief information security officer (CISO) and their team. While CISOs will continue to justify their investments, they also need to identify champions who understand the nuances of risk management. 

The responsibilities of owning and managing risk rest with two distinct teams. While the CEO, CRO, CFO, and board members own enterprise-wide risk, the CISO’s team is responsible for managing cybersecurity risk across the enterprise. In a digital trust-based era, these roles of C-suite executives must converge on a deeper level to ensure an organization can remain secure. 

Cyber Risk Quantification

As reported by Gartner, “88% of boards now see cybersecurity more as a business risk than a technology risk.” Quantifying cyber risk can provide the lowest common denominator across all levels of decision-making by representing the dollar value loss owing to a data breach. 

Cyber risk exists within and across basic organizational architecture and other moving parts including people, processes, technology, and third parties that are dispersed across a vast attack surface. Quantifying cyber risk is possible on two levels: a macro enterprise level addressing the potential financial impact of a ransomware attack on the business, and a micro asset and application level addressing the potential financial loss due to an employee’s cyber awareness (or lack thereof) or deciding to invest in a certain cybersecurity product (or not).

If a business doesn’t experience a ransomware attack before the end of this month or year, it does say something about the likelihood of having an attack in the future and the financial impact (in this case, net savings). Using this information, a CISO can translate cyber risk from bits and bytes to dollars and cents, and enable all relevant stakeholders to:

  1. Make informed decisions about other aspects of the business; when cyber risk is already accounted for, it frees up the budget for other organizational requirements.

  2. Negotiate the best cyber insurance premiums for the business

  3. Understand the true ROI of security investments and choose to maintain the status quo, to invest less, or more.

Today, cybersecurity risk management is integral to enterprise risk management. The largest challenge it faces is how to convert cyber risk into financial risk for non-technical decision-makers, with the goal of helping them appreciate the priority of cybersecurity in ensuring business continuity. 

The unlikely hero for the cybersecurity team during times of recession will be a person with a strong portfolio that knows and understands the impact of risk — financial, human, operational, or cyber. I see the CFO emerging as a crucial peg in the wheel of cybersecurity as long as security teams can benefit from the CFO’s agenda with confidence in risk posture, increased customer trust, contributions to overall business objectives for growth, and efficiency to get the most from investments. 

Saket Modi is CEO and co-founder of Safe Security.

Understanding Which ERP Modules Your Business Needs – And When