CFOs Should Lean into Cybersecurity Issues

by Steve Vintz, Chief Financial Officer | Tenable

Business leaders are becoming increasingly aware of the looming cyber threats surrounding their organisations. Cybersecurity, which was once limited to the IT department, has now become a vital consideration for key decision-makers, such as CFOs, who must now factor it into the risk profile of an organisation.

Technology advancement has been a key economic driver in today’s global economy, and with the increased reliance comes increased risk. We cannot ignore that cyberattacks and data breaches have become more frequent and their impacts more severe. One only has to look at Equifax, Yahoo! and Target to understand that the cost in clean-up, lost business and reputational damage equates cyber risk to overall business risk.

“Cyber risk IS a financial risk. And as a financial risk, it must be a key priority and responsibility for the CFO”

Today’s CFOs cannot afford to stick within the confines of their traditional roles but must persevere to understand their organisation’s cyber exposure gap and associated financial risks on the business, its people and processes.

A number of CFOs at the most risk-aware organisations are embracing this ethos and are implementing the following strategies to address an organisation’s overall risk management program.

Lock arms with the CISO

To understand an organisation’s security risk and all the financial costs associated with it, CFOs need to actively engage with the CISO. A 2019 study revealed that while 55% of Australian and New Zealand CFOs and finance leaders identified cybersecurity as a ‘high’ or ‘very high’ risk to their organisations, the strategic direction for cybersecurity is set by the IT community (44%).

These statistics demonstrate that CFOs must lock arms with the CISO to understand how cyber risk affects the overall business.

By becoming an active member of the security team, rather than just a passive observer, the CFO, along with the CEO and the rest of the C-suite, can significantly reduce unnecessary revenue leakage through a more focused and effective cybersecurity technology portfolio.

Organisations need to take a systematic and holistic view of the company’s exposure to cyber risk across various IT systems and networks, information assets, digital connections and its people and working culture. Process vulnerabilities, such as poor password policies or sharing of data with third parties, might simply fall through the gaps and cost an organisation dearly.

Invest in keeping your organisation secure

In 2015, Bank of America’s CEO, Brian Moynihan, stated that he was giving his IT security team unlimited spending budget to implement security and stay ahead in the never-ending battle of cyber threats.

“Undoubtedly, the cost of defending against cyber risks can be costly, but the cost of not adequately preparing for cyber threats is far higher”

However, not every organisation is in a financial position to allocate unlimited resources to defend against cyberattacks but knowing where to invest in cybersecurity can yield dividends. According to a 2019 BDO survey, organisations in ANZ have moved away from silver-bullet technologies and towards wider governance controls to help them best understand their most likely risks and to allocate investments accordingly.

The same report also indicated that the top five security control measures that grew in adoption over the past three years were establishing CISO roles, implementing Security Operation Centres, rolling out security awareness programs, performing regular third-party/vendor risk assessments and implementing cyber incident response plans. Organisations that have applied these controls have also reported being 50% more confident in responding to and recovering from cyber incidents.

While new technologies such as IoT and smart devices are being introduced into the workplace to enhance efficiency, there are inherent security issues as these devices are largely undetectable by traditional tools. Therefore, new approaches are needed to deal with the realities of today’s digital business landscapes and evolving threats.

Lean in and be accountable for cyber risk

With stringent requirements such as Australia’s Notifiable Data Breaches scheme forcing organisations to be more transparent in identifying and reporting data breaches, coupled with financial penalties for those who fail to comply, the need for CFOs to be more accountable for cyber risk has never been clearer.

To be effective in their roles, CFOs need to partner with other C-level leaders such as the CEO, CIO and CISO to manage risk. When making strategic business decisions, C-level executives should collectively consider cyber risk as a quantifiable metric of risk in the same manner as other business exposures such as economic or environmental risks.

The CFO should follow operational risk best practices and request reports that summarise the organisation’s progress in reducing its critical risks.

Security should not have any surprises

In the digital era, forward-thinking organisations should not work in silos especially when it concerns cybersecurity. Being aware of an organisation’s cyber risks and its impact on the business should not be a one-off event but recur on an ongoing basis. CFOs should make an effort to meet with the rest of the C-suite frequently to understand their cyber exposure gap and update their cyber-incident response plan accordingly. If these steps are followed, there shouldn’t be any surprises.