Cybersecurity is vital in the digital age, as cyber attacks are on the increase and high on the list of risks to businesses. Yet many CFOs do not have an accurate understanding of their potential costs despite one of the primary responsibilities of the Chief Financial Officer being to advise senior executives and the board on financial risks.
The CFO needs to be concerned about cyber attacks as Finance is one of the departments most often targeted by phishing and pretext attacks, and a severe data breach or IPR theft can impact a business for years.
In my article 4 Key Challenges Facing a Digital Age CFO, I said that managing the investment in digital security is a crucial consideration for the CFO.
Also, they need to be up to date with regulations and compliance, not only in accounting but those affecting digital investments, such as GDPR.
In this article I advance this challenge a stage further, arguing that the CFO should be an evangelist for cybersecurity.
This may initially seem an uneasy fit with the perception of the CFO as being concerned with financial reporting, planning and more conventional business risks.
However, given the risk to the organisation, the CFO has good reasons to become a cybersecurity evangelist, and by allying with technical peers such as the Chief Information Security Officer (CISO), they can help the business to guard against security threats.
The CFO’s traditional responsibilities of managing the finances of the business, financial planning and management of financial risks means that the CFO is already connected with the cost, impact of and protection against cyber attacks, such as investment in security safeguards, calculating the impact of risks and corporate governance.
I believe there are nine ways that a CFO can be the company cybersecurity evangelist:
#1.Understand The Impact
When security breaches are reported, the media readily reports the financial costs. However, how does the company put together a press release following such an attack, and how does it estimate the cost?
The first thought must be “don’t scare the horses”. A severe attack can have a negative effect on customers, partners and shareholders. There is a huge temptation to make a simple – low – estimation of the cost and to spin an optimistic tone about recovery.
The real effects can be more of an iceberg, with hidden costs below the waterline.
A cyber attack is not just about a few days of lost production. There is the consequent impact on orders in progress, with delays often resulting in financial penalties.
Downtime will more than likely impact the next order too, resulting in overtime, a scramble for storage space and a headache for logistics.
#2. Identify The True Costs
Data breaches can carry even more invisible costs. Although there are headline costs from fines, refunds and customer penalties, there will be legal fees and a PR operation to regain trust.
For example, GDPR has a wide-ranging impact on personal data, affecting many departments. However, the penalties for non-conformance are a financial risk to the business as a whole.
In all types of attack, however, there is long-term damage to the business. Customer trust can take a long time to regain, and shareholders may reconsider their investments and staff worry about their jobs.
#3. Make Cybersecurity Part of The Culture
The CFO can help to establish a culture of security in the business. Demonstrating a clear commitment at the executive level will spread downwards through middle management and staff.
A cybersecurity evangelist CFO should:
- Take opportunities to discuss security with peers and challenge misinformation, laissez-fare attitudes or lack of knowledge.
- Congratulate and raise the profile of colleagues who think outside the box to propose new security solutions.
- Stay up to date with regulations and ask how changes affect other departments.
- Champion the need to evaluate risks and to re-evaluate them regularly.
Hacking is a lucrative career and methods are evolving quickly, so it’s essential to anticipate and prepare for the next round of threats.
#4. Promote The Company’s Approach Externally
Evangelising about security in the boardroom is one thing. Promoting security externally is also valuable.
Customers are well aware of hacking threats; they will have undertaken their risk assessments and made their plans.
Promoting the company’s approach will build trust and reputation with the client base and may give some currency with them in the event of a breach.
Shareholders too will consider the potential effect of breaches on their investments and will value a business that is up-front about the risks and how it is mitigating them.
#5. Ensure The Finance Team Sets an Example
A report by Verizon identified Finance and HR as two areas most likely to be targeted by phishing and pretexting attacks.
This is understandable, given that Finance is responsible for handling the payment of invoices from suppliers.
Also, there may be a global spread of finance staff in regional offices, with a resulting reliance on emails.
Typical attacks are:
- An invoice from a “trusted” overseas supplier
- A bank transfer request from the CFO or CEO
- Payment demanded from a vendor’s hacked email account
- A request from an official body, such as HMRC, for employee data
- A request from the company’s lawyers for sensitive information
Ensuring the Finance Team are well trained and aware of potential attack points can set an example to other teams within the company.
#6. Establish Bulletproof Cybersecurity Procedures
Implementing bulletproof security practices throughout an organisation requires energy and commitment.
Firstly, the company needs to have proper written procedures. Considering how a new staff member would learn about the company may show that procedures are out of date, verbose or unfamiliar.
The business may have been audited for compliance with corporate governance regulations. This requires that management and auditors ensure that internal controls are adequate.
Allying with the quality manager may be a useful tactic. The quality team may be able to help with drafting and reviewing company procedures. These should be succinct and reflect best practice for every team.
Clear procedures give a good start point for new staff and establish a commitment to secure working. They must be published internally, regularly reviewed and updated to take account of new systems.
#7. Collaborate With IT
One of the challenges for CFOs, when getting involved in security, is a mindset. There are three aspects to bring out here:
- Technology assets, such as IPR and customer data, really are assets. The company has an investment in them that needs to be managed and protected.
- Security precautions – such as infrastructure, software and consultancy – come with an associated cost. This cost is also an investment, in the on-going security of the business
- Managing costs and negotiating budgets are an inevitable part of the CFO’s role. However, when cutting costs on security, there is the potential to lose much more in an attack than can be gained in cost savings
Recent research by BAE Systems looked at cybersecurity attacks and invited estimates of their cost impact from two groups of people – IT decision makers and C-level executives.
It found that IT’s estimates were almost twice those of the executives. Worryingly, both groups put the responsibility for a “successful” attack on the other group.
Collaboration is needed. The CFO can facilitate this by working with peers, probing and challenging assumptions; it’s an essential step in quantifying the risks. The resulting insight can inform the entire management team.
#8. IT and Security Budget
The CFO is responsible for overseeing the budget; that it is well spent and provides value for money. It needs to give the maximum possible protection from threats.
Working with a CISO or CSO allows the CFO to understand their approach to security. Although they will be highly technical, they will be able to articulate the benefits of security safeguards in business terms.
A detailed discussion of their strategy or budget proposal allows the CFO to probe their thinking.
The proposal must quantify how the technology will protect the business from threats but must use business language. Keep the discussion on this footing. Beware of allowing the conversation to drift into the weeds of the technology.
Many of the IT budget items will not be directly related to security but will have aspects relating to it. For example, refreshing servers, network infrastructure and personal devices will allow the latest security updates to be installed.
#9. Ongoing Cybersecurity Training
Well-trained staff are an essential asset in the fight against cyber-crime.
Training employees in the latest types of attacks, and how to deal with them, empowers staff and refreshes their knowledge. It also builds a culture of security throughout the company.
Security training must not fall into a hole between IT and HR. It’s vital that all employees are aware of the risks and how to keep the firm safe.
Although Finance is on the front line for phishing attacks, other departments also have to counter threats. Even working away from the office carries risks, such as connecting to a compromised router in a hotel.
Moving beyond financial reporting, planning and conventional business risks, a CFO can climb towards being an evangelist for cybersecurity.
There are good reasons for the CFO to take on this role; not only as a result of the risk of cyber attacks in the Finance department but also the financial risk to the business.
Finally, the CFO is in an ideal position to become a cybersecurity evangelist. They already have a responsibility to advise on financial risks to the business, in addition to which they oversee the digital security budget and how it is invested to protect the company.