Cybersecurity’s Newest Advocate: the CFO

Since the dawn of corporations, the Chief Financial Officer (CFO) has been responsible for, well, the company’s finances.  That includes tracking cash flows, reviewing financial performance, and advising on future company investments.  Traditionally, this involves overseeing both the finance and accounting divisions and its cadre of personnel.  Recently, however, this has evolved to add a new responsibility: collaboration with the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO). Why? Data risk.

Cybersecurity is more than just worrying about if the accounting department will be susceptible to a wire fraud phishing email - it’s about the data protections of the company as a whole.  If the company’s operations seize up due to a ransomware hack, then the finance becomes pretty simple: ongoing expenses offset by zero revenue.

IT Meets Investment

As companies have grown into the digital age over the last twenty years, c-suite officers and board members became increasingly aware of the importance of cybersecurity and data protection. Or more appropriately, they became aware that they should be aware.  Despite the attention, total digital protection continues to remain elusive as the complexity and frequency of threats evolve, the points of vulnerability increase, and the scale of IT infrastructure expands.  This unbroken game of cat and mouse has focused an intense spotlight on the state of a company's data security and incident response capabilities causing the need to invest heavily.  Enter player 2, the CFO. 

Though the IT team and the CFO would appear on the surface to be the odd couple, the area of overlap is large.  Company stakeholders are likely demanding to know if enough is being spent on cybersecurity, if it's being invested properly, and if the return on investment is adequate.  Quantifying and monitoring ROIs has been the bread and butter of the CFO’s office for decades, so this makes the combination a natural evolution.

“Show me the numbers!”

Says every CFO to their team as they work to apply their expertise to measure its cybersecurity risk.  This is accomplished through the following strategies:

QUANTIFY THE MAGNITUDE OF INVESTMENT

As with every venture a company considers, the CFO needs to understand the range of anticipated spending.  For the sake of ease, most companies allocate 5 to 12% of its IT budget for cybersecurity.  There’s no perfect number here.  It comes down to responsibly assessing the company’s existing “weak” spots.  If there has never been a cybersecurity budget, then the company may end up investing up to 50% of the IT budget for a few years as it bolsters its critical initial cybersecurity infrastructure.

IDENTIFY AREAS OF IMPROVEMENT

With a pile of money ready to deploy, the CFO needs to coordinate with their CIO, CISO, and IT department to ensure that capital is invested effectively.  Like any other expenditure, the team wants to ensure that there is both a measurable and sufficient return on their investments.  Doing so also helps prioritize the order of improvements.

ASSESS THE DOWNSIDE

Some decisions in business come down to gut reactions. Cybersecurity investment just isn’t one of those.  It’s time to break out the spreadsheet because this is a hard numbers exercise.  The CFO must take the time to compute the real dollar exposure from various potential incidents. The team has to calculate risks like:

• There’s a 50% chance in the next 12 months that the company will be hit with a ransomware attack that could cost $300,000 to recover from

• There’s a 10% chance in the next six months senior management falls victim to a phishing attack exposing the company to $3M of data loss

• And so on and so forth until all reasonable efforts have been made to identify and quantify the risks that may impact the organization.

The Bottom Line

Gone are the days that the CFO just ensures the books are balanced and the company’s floating weighted average cost of capital was decreasing.  Now they have to understand, coordinate, and react to an evolving cybersecurity risk landscape.  This means listening to and trusting their CIO and CISO to allocate investments to protect the company and its data.

Don’t know where to get started? Hive Systems is here to help you develop and asses your organization with our Cybersecurity Strategy Development. Let’s plan together to partner up your c-suite to better protect your organization.

Ready to get started?

Follow us - stay ahead.

Read more of the ACT