Warn your colleagues that the eye black is to help you focus: the hackers are at your goal line. As Chief Financial Officer (CFO), you are the signal caller for the company’s cybersecurity team and it is your role to call the strategic audible that negates the increased risk of cyberattacks. Oh, and this game is not about points and playoff implications—it’s about your company’s financial standing, customer loyalty, and shareholder trust. Being the cyber quarterback comes with tremendous responsibility—how are forward-thinking CFOs leading their companies onto the cyber field in light of the evolving threats?
Cyberattacks create serious business problems, and small businesses are certainly not immune. In its 2015 Internet Security Threat Report, Symantec, one of the world’s largest information security and management companies, found that in 2014 60 percent of all targeted cyberattacks were aimed at small- and medium-sized businesses (SMBs). Furthermore, companies with fewer than 250 employees comprised a sizeable 34 percent of all spear-phishing attacks, which shows that being small and relatively anonymous does not necessarily allow companies to fly under the radar.
In fact, the nature of attacks last year suggest that cyber criminals often set their sights on a target company’s supply chain as a way of getting around the target’s security and thus see SMBs as a means of gaining entry into a target through the backdoor.
As a result, SMBs need to put cyber risk mitigation at the forefront of their overall risk mitigation strategy and not relegate the overall IT security strategy solely to the IT team.
As the protector of corporate assets and manager of the organization’s enterprise risk strategy, the CFO is in a unique position to assess the business risk of a cyberattack, integrate a cyber program into the company’s broader risk assessment framework, and make informed security investment decisions. The CFO is experienced in overseeing initiatives to mitigate financial risk, market risk, and operational risk as part of a holistic enterprise risk management framework. Cyber risk should be treated as another element in the company’s enterprise risk profile – an element to be understood, assessed, and managed.
How Can a CFO Create a Cyber-Resilient Playbook?
As cybersecurity quarterback, a CFO’s initial priority should be to identify the company’s most valued assets and communicate this information to the IT team. The CFO has invaluable insight into what is most important to the business and how the business operates. Engaging in ongoing dialogue with the IT team enables the CFO to outline critical information assets such as customer and investor data, intellectual property, financial records, and business plans to help the IT team recognize the company’s greatest cyber risk concerns.
CFOs should have an open dialogue with their IT cyber professionals regularly to identify information assets, and discuss what the company is doing to protect those assets. Cyber programs need to be aligned to specific threats, the risk tolerance of the organization, and the data assets that are most at risk. A well-designed cyber program requires investments, and the CFO can help ask the right questions of IT to ensure that these investments will close the security gaps.
While organizations use a host of different security controls in an attempt to limit their risk of a security incident or breach, human error is virtually unavoidable. According to the IBM Security Services 2014 Cyber Security Intelligence Index report, over 95 percent of all incidents investigated recognize human error as a contributing factor. The implications are clear: effective cybersecurity programs extend beyond the technology firewall.
“By taking a leading role in developing the company’s cybersecurity strategy, CFOs acquire a keen understanding that cybersecurity is more than a set of preventive technologies. It is a comprehensive set of methods, policies, and strategies designed to protect major assets,”
said David Rubin, CohnReznick Risk and Business Advisory National Director. “As a result, CFOs are better equipped to respond to the questions and concerns of their Board of Directors and shareholders.”
Like any good quarterback, the CFO possesses the visibility and commands the respect necessary to motivate players to maximize performance. To craft a cyber strategy that encompasses people, process, and technology the CFO must engage the Board of Directors, IT team, department heads, and human resources.
To build awareness of cyber risks and the role human error plays in a breach, the CFO should call upon human resources to implement security awareness training. The CFO can communicate the implications of cyber risk to the Board of Directors and division heads to create policies and ensure controls are heeded. And the CFO can assist the IT team in securing the capital needed to modernize and maintain the security technology infrastructure.
A CFO understands the company’s risk tolerance based on market, industry, and financial factors, a critical element to making informed cybersecurity investment decisions. For example, a financial services or retail company, where a cyber breach can directly disrupt the revenue cycle, should have a lower risk tolerance and be willing to devote greater resources to its cybersecurity program than a company with less potential disruption.
CFOs put the cybersecurity program in the proper business perspective. They have the inherent ability to balance the returns generated on a company’s information assets, risk tolerance, and the level of cybersecurity investment needed to effectively protect those assets.
Plan for a Fumble: Devise an Incident Response Plan
Safeguarding the company’s assets today means developing a well-reasoned incident response plan for tomorrow. In the event of a successful cyberattack, the company needs a firmly established strategy to guide the organization on how to best respond to the breach to minimize damage, recovery time, and post-incident costs.
Those without a well-designed plan face the risk of a tarnished reputation, slower earnings recovery, and a potential mistrust of shareholders, lenders, suppliers, and vendors. A robust response plan has contingencies for the type of breach and the nature of the assets compromised, so the right people get notified at the right time.
With breaches now a more likely occurrence, stakeholders no longer penalize companies for a breach, but for their failure to take adequate steps to protect assets and respond effectively to mitigate damages.
Assembling the right people from across the company is instrumental to building an effective incident response plan. The CFO should again lead this endeavor, coordinating with the IT team, senior management, legal counsel, human resources, and others to identify key stakeholders, develop contingency plans, and design a communications strategy. Should the plan need to be enacted, executive sponsorship avoids complacency and demonstrates necessary vigilance to external stakeholders.
Unfortunately, a cybersecurity program is never complete. New business strategies, evolving cyber threats, and changing security technologies shift perspectives, introduce new attack vectors, and change risk tolerances. As a result, companies must not only continuously monitor for potential breaches, but also regularly re-evaluate their cybersecurity program and incident response plan.
CFOs must ensure that their cyber programs are reflective of emerging business strategies, new product introductions, system implementations, disruptive technologies, new suppliers and vendors, and anything that can create points of vulnerability for cyber criminals. An outdated cybersecurity strategy is one of the key reasons why companies continue to stay vulnerable.
The marketplace has grown less tolerant of companies that lack a robust cybersecurity program and incident response plan. Stakeholders have an expectation that the company’s data and assets are secure because the company is enacting reasonable protections and has plans at the ready to react quickly to a successful breach to minimize damages.
Experienced in managing risk, CFOs must quarterback this process—protecting information assets as part of an enterprise risk strategy. CFOs are in the unique position to not only understand how the company’s changing business environment shapes their cyber-risk profile, but they also have the financial proficiency to determine the potential costs of a breach and assess risk tolerance, and to balance those factors against the investments required to protect key assets.
Further, CFOs have the organization-wide visibility to build comprehensive protections that address people, processes, and technologies, and to compel the organization to react quickly to enact the incident response plan.
Information sourced from Symantec and IBM.
Written by Jim Ambrosini
Jim Ambrosini, CFE, CRMA, CRISC, CISSP, CISA, is a Managing Director with CohnReznick Advisory Group where he leads its cybersecurity and technology assurance service offerings. Jim has more than 20 years of experience in information security and technology and is focused on helping clients more effectively manage their technology assets. His team is adept at analyzing technology infrastructure, evaluating IT processes/applications, developing strategic plans, and assessing network and web vulnerabilities.
To learn more about the cybersecurity services provided by CohnReznick Advisory Group, visit our webpage.