Security Culture

CFO, Cybersecurity is Your Responsibility Too

The people that make up the C-suite in an organization are the ones who ultimately hold the company together. Working with the rest of the organization, maintaining the company’s morale, keeping the employees happy while growing with equally happy customers are some key roles that they inadvertently play.

With the changing landscape of technology, devices, threats, and, most importantly, innovation—there are ample opportunities for security loopholes. Time and again, bad actors have indeed taken advantage of these loopholes in combination with a company’s lack of security posture.

Who is to blame for this? Does the blame fall on the CIO or the CISO? Does it fall on the IT manager who did try to convey the high-risk vulnerabilities in the company and yet went unheard?

A blame game probably does just one thing – provides a name for your press release for when you are breached. As harsh as that sounds, it is indeed the truth. Accountability and ownership for something such as cybersecurity cannot simply reside with one person. Neither can it only lie on the bad actor, be it internal or external, who managed to steal your data.

It is an organizational responsibility, not an individualistic one. Yet, some roles are islanded from such crucial decision making and execution processes. One of the main roles whose collaboration is imperative in making cybersecurity a philosophy in your company is the CFO.

Today’s CFO – Needs to Manage Hackers, Not Just Finance

A quote by Satya Nadella, CEO of Microsoft Corporation, is quite fitting for today’s evolution requirement- “Longevity in this business is about being able to reinvent yourself or invent the future.”

Indeed. To be able to stay relevant, reinventing in terms of innovation and digital transformation is a well understood concept.

How about reinventing security, then? Consider the rampant security threats that exist today, methods and technologies through which hackers seek entry are always changing and updating. Shouldn’t how you address security, change as well?

An average cost of a data breach is $3.92 million[1]. By no means will you consider this a small amount. Not to forget the damage to brand reputation, which could last years, loss of customers, and an overall organizational loss.

Besides the tech experts who handle your cybersecurity, CFOs can tie these together too. Although it is a recent practice to include them in security decisions, it is surely a change that was long overdue.

Just think about it, a CFO deals with sensitive data, interacts with investors, handles payments with customers, and so much more. They do more than just upfront finance management and strategizing. A data report showed that 40% of IT professionals believe that CFOs don’t understand cybersecurity. How then will they know where in cybersecurity should your organization invest?

With the role this section of the C-Suite play, it is no more debatable whether you want to include CFO into this domain, or if a CFO wants to play a role as well. It is by default the role of a C-Suite to do what’s best for the company’s growth, and this falls right on that path. Involving a CFO in conversations about cybersecurity along with the IT experts is the need of the hour.

Getting the C-Suite Involved is a Necessity

Some time ago, cybercriminals made at least $100 million in profits by stealing unreleased financial press releases and reports and trading them off, according to a report[2].

This is just one example of how crucial financial documents are, and how much money is on the line for a bad actor. This was back in 2015. We are years ahead now, but are we really? With time, hackers have gotten smarter, have found devious methods to bypass your “firewalls”.

Most people believe that they have not had a data breach. This is an innocent statement at the most, considering that a Ponemon report stated how it takes 206 days even to detect a data breach. Not to forget the long days of weighing the amount of damage they cause and how long businesses take to let their customers know about the breaches.

Today, different nations are tightening up regulations in light of many recent data breaches. It’s not just your organizational data on the line, but also customer data which consists of a lot of Personally Identifiable Information. EU’s GDPR is a stringent regulation that has laid out several rules to handle the data of European citizens. Failing to do so, your company might even end paying a heavy sum of $20,000. Owing to such scenarios, compliance and regulation should fall under the direct scrutiny of CFO.

Read our blog, A year since GDPR, are you compliant yet?[3] to understand how it affects you.

These facts only exemplify the need to include more people in the cybersecurity decisions—including the boardroom to get everyone under one common platform to defend against cybercrimes.

Adding Multiple Feathers to The CFO’s Cap

Taking on a prime role to ramp up your company’s security, it is not an additional responsibility, but rather adding a feather to their cap. It adds more context to every security decision, every investor meeting, every customer retention initiative, and so much more.

When the CFO Understands Cybersecurity, Your Company will be Better Equipped

It is a common problem within organizations, where the IT team tries to showcase the importance of a security solution, but maybe fails to covey its value to the stakeholders. But, if the CFO is involved in this process, it can lead to a more business-friendly approach to getting it done. Your CFO does not have to go through hours of theory on cybersecurity. They don’t have to get into the nitty-gritty details of technical jargon. But, instead, understand the security benefits of getting a solution, rather than suffering the brunt of saving money later. The cost of a data breach will be higher than investing in cybersecurity solutions, always.

They Can Stress on How Brand Reputation and Cybersecurity Go Hand in Hand

I am not talking about the aftermath of a data breach, let’s address that in the points to come. This is about the simple fact that when you are aware and secure, customers and investors will trust you more. If your CFO can talk that talk with cybersecurity, it automatically brings a sense of security. After all, who better to vouch for safety if not the person who handles the finance aspects themselves? If your customers and investors know their privacy is safe in the hands of your security, they will sleep better.

Implementing a cybersecurity solution signifies how your organization cares about security.

If you can collectively answer these answers, every third-party you interact with will automatically be more inclined to stick with you.

Where is the customer data stored?
What are the security measures in place to tackle the ever-changing scope of threats?
Will your investors know that their money is going to the right place?

If the customer who shares data with you, investors who trust their brand image and money with you, can know that you have done all that you can to protect yourself against threats, then if ever you are breached, there is going to be a sense of trust rather than a series of the blame game.

This brings us to your incident plan.

Including Your CFO in Your Recovery Plan Will Bring You Out of the Woods So Much Sooner

Every organization must have an incident plan at hand in agreement with the C-Suite.

Who is going to take charge of what at the time of a breach crisis? How much money is going to be allocated for what? Does your security insurance cover this breach?

These are important questions to which you ought to have answers before you become the victim of a cyber attack. Otherwise, you are looking at hours of crisis planning at the time of crisis, which would lead to abrupt decisions—and these aren’t always the smartest ones.

Imbibe Cyber Resilience Along with the C-Suite

Cybersecurity is not just about protecting yourself from external threats with a firewall or antivirus. The C-Suite must be made aware of the innumerable ways hackers get through, about the dicey trust factor that comes with considering that threats exist everywhere, internally and externally. They must be educated about things like Zero trust[4], multiple ways to authenticate an identity[5], and, most importantly, the domains that can act as your line of defense against all kinds of threats.

Cybersecurity is indeed an uphill battle—long, tedious, and never-ending. When there is so much to lose when you are targeted by cybercrime, your IT professionals shouldn’t be the only ones fighting it for you.

The C-Suite can’t just play an approving role anymore. They have to be at the center of everything, analyzing those decisions. It doesn’t just stop with the CFO. It is indeed an organizational responsibility.


  1. https://securityintelligence.com/posts/whats-new-in-the-2019-cost-of-a-data-breach-report/ 06/25/2020
  2. https://www.washingtonpost.com/news/the-switch/wp/2015/08/11/hackers-who-breached-corporate-wires-made-millions-off-insider-trading/ 06/25/2020
  3. https://www.ilantus.com/blog/a-year-since-gdpr-are-you-compliant-yet/ – 06/25/2020
  4. https://www.ilantus.com/blog/zero-trust-policy-always-question-before-you-allow/ 06/25/2020
  5. https://www.ilantus.com/blog/secure-digital-identities-with-multi-factor-authentication/ 06/25/2020
Show More

Binod Singh

Binod Singh has charted an illustrious 30-year career in the Information Security industry. As one of the pioneers of the ‘Identity and Access…Read More

Back to top button
X

We use cookies on our website

We use cookies to give you the best user experience. Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.