Answering Questions About Risk Assessment and Cyber Security for CFOs
Cybersecurity breaches don’t just put data in danger. They represent a huge risk to the company’s bottom line and to its professional reputation. With so much at stake, C-level executives are taking an increasingly active role in cybersecurity. In many cases, CFOs and senior finance executives bear a large portion of the responsibility for overseeing data security.
A recent survey by the Ponemon Institute found that 79% of C-level executives in the U.S. and U.K. say executive-level involvement is necessary for an effective response in the event of a data breach. It’s not surprising, then, that another survey found more than 40% of CFOs are the owner or co-owner of cybersecurity for their company.
Threats to cybersecurity aren’t going away. They’re just going to keep becoming more of a problem. For many CFOs, coordinating cybersecurity and managing the risk of data breach is going to remain a top priority. As a CFO in the modern business world, you need an intimate knowledge of how to address critical challenges in cybersecurity. This might seem intimidating, but it’s essentially just an extension of the role you already play in managing risks.
Why The CFO?
In an interview with Forbes, CFO of Palo Alto Networks Steffan Tomlinson said, “As the threat of cyberattacks and cyber risk continues to increase, I foresee CFOs across the world learning, adapting and building competency to successfully address this critical challenge.” One of the creative ways that he’s seen CFOs tackle this challenge is by viewing “cybersecurity through the lens of Enterprise Risk Management [ERM].”
One of the key jobs a CFO performs is risk management. Mergers and acquisitions, investments, long-range planning, insurance – these and many other decisions carry significant financial risk, and the CFO consults on all of them. From this perspective, cybersecurity is just another potentially expensive risk to manage.
How Significant Is The Financial Risk?
Managing financial risks is a key aspect of a CFO’s role. And for a typical corporation, cybersecurity is usually among their top five risks. According to the 2015 Cost of Data Breach report by IBM and the Pokemon Institute, the average cost of a data breach is $3.79 million.
For some companies, particularly in the health care sector with fines for HIPAA violations, the cost can be considerably higher. The final cost can also include class-action lawsuits and payment for identity-theft protection of affected individuals. On top of all that is the harder to calculate, but equally problematic, costs in loss of reputation and customer confidence.
What Mindset And Tools Should You Start With?
Some companies approach cybersecurity from the perspective that data breaches are going to happen whether you fight them or not, and you should focus on preparing for the aftermath. It is true that effectively managing cybersecurity involves being prepared to detect and deal with breaches if/when they do occur. But you also shouldn’t set yourself up for failure.
A prevention-first mindset gives you a foundation for creating a holistic cybersecurity solution. In the interview with Forbes quoted earlier, Steffan Tomlinson says, “the most successful, forward-thinking companies that I have seen to date start with a breach prevention-oriented, highly-automated and integrated approach as the foundation on which to build their cybersecurity strategy.”
His comments bring up a point that we’ve mentioned here on this blog several times before. Automation technology is a vital asset in enforcing cybersecurity. For example, business process automation helps fight fraud by enforcing company policy and notifying you immediately of suspicious activity.
Do You Need To Become An Expert?
Balancing cyber risk prevention, detection, and disaster recovery requires a certain amount of knowledge about cyber and data security. Even the most well-rounded CFOs don’t need to become technical experts. However, they do need to have some insight into how cybersecurity works.
Spending time with the CIO and CISO to review your company’s own cybersecurity is an important step for CFOs working to develop their knowledge. Service providers working with your company also know about cybersecurity best practices. They should be eager to share their insights with an interested CFO. There are also online resources available, such as SecurityRoundtable.org.
Are There Non-Tech Ways To Prevent Cybersecurity Losses?
Usually when we think of cybersecurity, we think of IT-specific ways of enforcing security such as malware, firewalls, and virus scans. But for today’s CFO, preventing data breaches requires looking beyond these technologies. The tech still plays a vital role, but it’s not the only tool you have in preventing cybersecurity losses.
According to CBIZ Risk & Advisory Services managing director Christopher Roach, “CFOs are spending millions of dollars on software and technology to protect their businesses from cyber crimes, and they should be investing more money in training their own people.” That’s not to say software doesn’t play a significant role. Just don’t underestimate the value of educating even non-tech employees so they’re savvy about supporting the company’s cybersecurity.
How Do You Stay Proactive?
Cybersecurity isn’t something you just look over once, develop a plan for, and never have to worry about again. It’s important to stay on top of things and keep reassessing your cybersecurity plan. As you continue forward, make sure you balance your focus on prevention with also investing in detection and response. That way you’re prepared to combat known threats and to catch unknown threats that are harder to anticipate.
Work to make sure that if a data breach does happen, your company is prepared to deal with it as soon as it’s detected. At a bare minimum, such a plan involves detection, containment, investigation, remediation, and recovery. It should also include steps for minimizing legal liability and the negative impact on reputation and employee morale.
There’s no guaranteed way to prevent all data breaches and no magic recipe for perfect cybersecurity. But as the CFO, you’re in a key position to manage and assess risks. You also have the power to make investments that build-up your company’s cybersecurity.
Unless CFOs are working closely with their security colleagues, there’s a risk that cybersecurity investments won’t be in-line with the company’s objectives. On the other hand, when a CFO educates themselves on cybersecurity they can help protect the company’s most vital assets and mitigate the high-damage risks that go along with data breach.