Looking at the impact a data breach can have in terms of regulatory fees, customer trust as well as loyalty and as a consequence, shareholder value, cybersecurity is no longer just an IT issue. It has become a board-level concern. Furthermore, if an attack doesn’t mean the complete end of your business, even recovery can be extremely expensive and protracted. Whoever is in charge of cybersecurity at a company level must have the budget available to not only minimize the risk of a breach but also to create a sophisticated incident response plan.
1. Is it typical for a CFO to have a good grasp on how the organization manages cybersecurity?
Traditionally cybersecurity was in the hands of CIOs or CISOs. However, when organizations undergo a digital transformation and shift to data-driven, data becomes one of the main company assets and often the most valuable asset. Data is the new gold. Since the CFO is responsible for keeping the company financially viable, cybersecurity is on top of almost every budget plan right now. A modern CFO will have an excellent grasp on how an organization manages cybersecurity and will be able to ask the right questions.
2. Should CFOs be more involved in choice/deployment of “cybersec tech” when it comes to funding approvals?
As investments and budgets for cybersecurity grow, more and more technology investment decisions are being made at board level. CFO’s don't need to be cybersecurity experts – but bringing their perspective to the table allows organizations to find solutions that are sustainable and help to secure an organizations growth.
3. Are there risks to a CFO not being more invested in the cybersec process?
Every day without the right security solutions in place leaves a company vulnerable to a cyber attack. The CFO is critically important to protect a company's valuable treasure – it’s data.
As a CFO also sees the direction of a company in terms of mergers, acquisitions and structural changes (s)he is able to make decisions that are sustainable. Way too often companies overspend on security solutions that aren’t flexible enough to support a company's growth. Sometimes this expenditure creates a false image of security as management and maintenance are extremely important factors when it comes to security. An outdated security solution might not be secure at all. In terms of ROI and sustainability, a CFO should not risk being under-invested in the cybersecurity process.
4. Are cybersec leaders resistant to planning security with the CFO?
We see a change here. More and more CISOs are starting to tell the right security story when communicating to the board.
When it comes to complex topics like cybersecurity – with all its pitfalls and hundreds of options to decipher – the board demands greater accountability from their experts and professionals. Whether you are resistant to planning security with your CFO - or not, this hard fact doesn’t change.
5. How can the CFO and cybersec team work better together?
While technical experts sometimes struggle to demonstrate business insights and ROI of a cybersecurity project to business executives, there is an urgent need for both parties to work together more closely. Both sides have to be proactive – finding the right language to communicate benefits, needs as well as ROI. A comprehensive security strategy requires the appropriate budget and needs to be tailored to every individual company dependant on their business objectives.
Some organizations see security solutions as an inconvenient cost item. Nonetheless, there are solutions available, which facilitate future projects, allow organizations to leverage previously unmonetizable data and that help to keep systems out of the scope of regulations. The most effective way to plan together is to focus on the benefits of protecting an organization’s crown jewels – its data.