The Role of the CFO in Enterprise Cyber Security

Who is responsible for cyber security in your organization? Smart businesses know that it’s not just the IT teams who need to be investing in cyber security.

Faced with increasingly complex and severe cyber-attacks on operational technology (OT) designed by criminals who are well-organized, well-financed and willing to wait for the right opportunity to strike, businesses need everyone in leadership roles to not only acknowledge the situation but put in place strategies to minimize risk. This includes the CFO.

The Chief Financial Officer (CFO) plays a crucial part in ensuring that the investment in cyber security matches not only the potential risks but mirrors the value and importance of the company’s infrastructure, from financial systems to operational technology networks. In some organizations this can be viewed as a cost drain. As such, investment levels tend to be far too low relative to the scale of the risk.

It is not uncommon for IT teams or their executives to be rewarded based on reduction in expenditure vs budget, breeding an alarming culture of penny pinching each year. This short-term thinking is putting organizations in jeopardy, and at risk of everything from data breaches to system hacks. A boardroom, including the CFO, that recognizes the devastating effect a cyber-attack can have, both financially and reputationally, will be better placed to protect their ‘crown jewels’ from this new age of cyber criminals.

There is an opportunity to engage the CFO in the full spectrum of cyber security and the potential mitigations, from IT to OT networks. Great CFOs don’t act as a blocker or barrier but are ready to invest in comprehensive and robust cyber security systems. Here’s how to make sure your CFO is one of them:

Make clear the opportunity cost

There is, of course, a cost to cyber security systems, but the cost to not having them is far larger. The average cost of an attack has been rising rapidly and now stands at $3.9 million, according to the annual Cost of a Data Breach Report by IBM and the Ponemon Institute, although this rises to $8.64 million in the US.

This includes costs of OT systems and hardware, disruptions to critical activity resulting in down time and business lost, and fines. When put in this context, the investment in cyber security will seem minimal. Businesses that rely on insurance as mitigation may feel that they are covering the financial cost, but this does not take into account the cost of reputational damage, which can far exceed any monetary loss.

Further, the insurance market is taking a tougher stance due to the rising frequency and scale of cyber-attacks. This makes it a multi-faceted challenge for finance leaders.

Think about long term sustainability

Cyber-resilience is about ensuring the continued success of an organization. Business continuity, reputation and finance are all at stake, but also the potential for injury and even loss of life. Imagine how much money would be lost if you were unable to service clients, and the reputational damage of a splash across the headlines. To continually win new business you need to be able to show you are diligent and trustworthy, and cyber security plays a big role in this. Data security is increasingly important, and customers will not want to do business with you if their own information is seen to be at risk. Similarly, vendors will harbor concerns about stability and ultimately shareholders will become worried about performance.

See cybersecurity not as an IT overhead but an OT asset

Cyber security is not just a tick box or policy adherence exercise, but brings huge value. It’s about more than systems and software of IT – it’s essential for full and essential OT. The CFO’s remit spans the entire business, meaning they are perfectly positioned to support cyber security efforts spanning the entire estate. They are able to look at the technology and systems and what investment in them can bring the business from a strategic standpoint.

Improve the risk management framework

The CFO’s job is to finance things that are business critical. If the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Senior Management Team (SMT) make cybersecurity part of everyone’s role, from team members to those at the top of the organization, it ensures it is ingrained in policy and procedure. By having this shared visibility and responsibility, it will be clearer as to why it needs financing, not just as a cost centre, but an enabler. Cyber security is about protecting the assets that are of value to your company, and so should be embedded in everything that you do. Effective governance is essential to business success.

Help them mitigate potential risks

Across the business we are constantly putting plans and procedures in place to mitigate risk. And most often this risk is based on potential risk, rather than historic experience. Just because it hasn’t happened doesn’t mean it won’t. In fact, threats are constantly changing and cyber criminals are increasingly diversifying the comprehensive strategies that they use to infiltrate organizations. 

Most businesses have smoke alarms or defibrillators yet have never had a fire or someone have a heart attack during the working week. They have this equipment installed to minimise the impact of any future disaster. The same is true of cybersecurity. CFOs should think of cyber security as part of the package that a business has to mitigate against risk and maintain fully functioning OT at all times to ensure business activity can proceed as normal.

CFOs should therefore be discussing cyber-risk exposure with their CIO and CISO regularly. This ensures it doesn’t just get thought about on an annual basis but is front of mind all year round. That regular reminder of why it is so important will help ensure that it is viewed as a business-critical expense that needs to be fully backed financially.

Use their expertise

Your CFO does not have to be a cyber security expert. But their risk management skills will be essential to asking the right questions around issues such as where data is stored and who has access to it. They especially understand the risks and issues presented by protecting financial data. By ensuring that your CFO is part of the process for assessing risk, identifying assets and selecting vendors, they become part of that process of essential cyber security.

Present a united front

The CFO is a business-critical part of strategic and functional operations across the organization. Businesses fall prey to cyber-attacks when they have a weak link. We think of clients as castles, and all of the battlements need to be strong. This includes everyone from the CEO to the cleaner to the connected systems used to make the business run. Vigilance and security are crucial across the board, and the CFO is an integral part of that.

We know that cyber security is essential. In the modern working environment, more and more of us are geographically dispersed and more devices are connected to the internet. At the same time cyber criminals are getting increasingly sophisticated. Cyber security needs to be a top priority for all organizations – and all members of those organizations, including the CFO. Investment in cyber security is absolutely business-critical, and by making your CFO part of the strategic journey of cyber security you will make it easier to get that much needed sign off.


Glenn Murray,
CEO at Sapien Cyber

Glenn Murray is the Chief Executive Officer at Sapien Cyber. Glenn has extensive experience in the management of multi-million-dollar projects in the identification and application of ICT solutions across the oil and gas, mining, heavy vehicle manufacturing, mining, defence (Electronic Warfare) and telecommunication industries.

His military background and focus on national security has built a passion for cyber security and protecting the world we live in. As CEO of Sapien Cyber, Glenn’s vision is to provide world class cyber security solutions to critical infrastructure industries globally.