A New Era of Cybersecurity: The CISO & CFO Partnership

Ransomware and other cybersecurity attacks are increasingly common for organisations, forcing the C-suite to review their roles in protecting organisations. The sophistication of threats poses continued and increasing risks to businesses. Long gone are the days where Chief Information Security Officers were the sole drivers of cybersecurity protections.

As a CISO, I have learned first-hand the advantage of working side-by-side with the CFO to ensure that all aspects an organisation are protected against cyber threats. Together, the two offices can redefine astute strategic investments in cyber hygiene solutions, data and analytics, company training and culture.

The logic behind it is clear: the need to prepare against threat actors before experiencing the proverbial gun to the head has never been more important. The role of executive leadership teams is two-fold: promoting a culture of cybersecurity awareness and action and actively developing and updating cyber incident and ransomware responses.

Having transformed Equifax’s security program after experiencing cyber challenges, I can share several learnings to inform and encourage an increased collaboration with CFOs to formulate plans for cybersecurity expenditure.

Protecting all business entry points

Any system or individual connected to your business is an entry point for threat actors. It’s important for the C-suite and company boards to have the full picture of both business-critical and lower stack systems to effectively and proactively protect against cyber risks.

Migrating to the cloud creates opportunities to exceed traditional on-premise security. At Equifax, introducing over 150 automated checks in our cloud environment gave us visibility into our security posture in real-time to a degree that wasn’t possible before. This real-time visibility is critical because it helped steer how we applied automated and cultural controls to address suspicious activity.

Investing in advanced analytics and intelligent data orchestration to help your business verify the identity of customers and employees will go a long way to help prevent cyberattacks and fraudulent behaviour. For financial teams, working with CTOs and CISOs to understand the threat landscape for their business as a whole and how to maximise cybersecurity investment across the ecosystem can help to safeguard all business access pathways.

Understanding the hackability threshold

Cybersecurity preparedness is not only about investing in TechSec. Businesses need to be prepared to respond to cyber threats even if the most innovative and intelligent systems are in place. In today’s environment of increasing ransomware attacks and cyber threats, businesses also need to understand their hackability threshold.

A threat actor’s impact can resonate well beyond the initial cyber attack. CFOs and their teams are best placed to run projections to assess the potential financial impact from the loss of information and access that was targeted, as well as the legal and reputational ramifications. Projections covering security, legal and media considerations can set the scene for ransomware response playbooks, which should be a company’s response to cyber threats, willingness to pay and wider company support mechanisms for cybersecurity programs.

Each company has a different threshold for responding to cyber threats, so having transparency over where to draw the lines can enable teams to prepare effectively. By shifting company thinking from ‘we would never pay ransomware’ to ‘never say never’, business leaders can accurately understand their threshold for responding to threats.

Where does your company draw the line? Starting to think like a threat actor, not as a corporate, then preparing for the various scenarios that may arise can elevate your business’s cyber response from processes to preparedness.

Investing in resilience

Cyber security is an enterprise problem, not a technology or security team’s problem. A key component to cyber resilience is knowing whether a company is future-proofing teams in line with the overarching enterprise direction. And CFOs are integral to determining the future direction of a business.

Bolster your company to operate in the future state, always. Financial leaders can help to lead this company-wide mindset by applying secure by design principles to cybersecurity programs and preparedness. This means solutions are being put into place early in an initiative’s deployment to enable business deployment.

Over at Equifax, we invested about $US1.5 billion in security and technology, the largest investment in our company’s 122-year history, after experiencing a cyber breach and its ripple effects first-hand. Through this transformation process, we have focused on building up resilience and transparency and applying learnings to our TechSec stack and security culture. This has enabled us to make security and fraud detection more transparent and convenient for internal and external stakeholders and has more visibility to inform management decisions on cybersecurity preparedness.

Evolving from risk impact assessments to threat impact assessments can more accurately assess your company’s position against cyber threats. This can then inform company expenditure in cybersecurity.

Fostering a cyber-aware company culture

Cybersecurity preparedness should involve a board and C-suite driven strategy, not a CISO-driven strategy, that filters through to the entire company.

Encouraging a cyber-aware company culture has significant benefits to mitigating cyber risks. One initiative that has worked well for us has been integrating staff’s security performance into their overall performance. By giving employees visibility over their own security performance each quarter and clear actions to improve their ‘security scorecard’, we’ve embedded security into the DNA of our business.

Financial teams that are rightly looking to compliment a company’s cybersecurity tech expenditure with funding and resourcing into cyber awareness initiatives can ask these questions to get started: How are separate business functions enabling their teams to live by secure design principles? Is the business effectively communicating its commitment to cybersecurity preparedness at an individual level? If not, how can we work with the wider company to instil the value of being cyber-aware?

Avoiding the proverbial firing line

In this new era of cybersecurity, security is an arms race, and we must continue to prepare ourselves against emerging threats to avoid being in the firing line. Designing cybersecurity preparedness from the outset and in line with the business starts with the board and executive level decision making, and CFOs have the influence and capabilities to make cybersecurity responsibility and protection an always-on priority.

Author

Wayne Williamson, Chief Information Security Officer | Equifax A/NZ

Wayne joined Equifax in August 2020. Wayne has over 20 years’ experience across Information Security and Cyber Resilience spanning large financial organisations within Australia, UK and Europe.

An experienced executive, Wayne is passionate about delivering the right level of oversight, being pragmatic in addressing threats – without compromising cost and user experience, and embedding a culture of information security protection ‘by design’ that delivers measured business value and buys-down risk in a cost-effective manner.

Prior to joining Equifax, Wayne held senior roles at Allianz Australia as the Chief Information Security Officer, the Commonwealth Bank of Australia as an Executive Security Officer and abroad at KPMG (UK) and Royal Dutch Shell (UK/Netherlands) as a Security Executive advisor focusing on information protection, business resilience and cyber strategy delivery.