To Deal With Cyber Risk, CFOs and CISOs Must Speak the Same Language

In the traditional realms of cybersecurity, ‘security’ and ‘risk’ are always the predominant topics of conversation. But for FDs and CFOs, it’s even more reductive than that – everything boils down to one factor: risk.

It’s their job to be aware of the financial repercussions of every single risk an organization takes. Their approach to cybersecurity is no different. They want models that specifically demonstrate the organization’s exposure to risk in cyberspace, both internal and external.

Without adequate explanation as to why certain security protocols are in place, the finance function can quickly become frustrated at measures which appear to hinder their job function  

Ignorance isn’t bliss

We constantly hear that cybersecurity should be a boardroom topic – and in most cases it is. But it’s largely a futile exercise at the moment. CISOs go into the last five minutes of a board meeting to outline their most recent cybersecurity initiatives – but no one listens.

Why? Because the board doesn’t speak the same technical language as the technology people. As for CFOs, they need things explained in a way that easily translates into their risk-modelling frameworks.

This leaves us at a bit of an impasse. Cybersecurity teams, constantly focused on defending the company in cyberspace, become isolated from the wider organization and the implications their initiatives may have on their colleagues, particularly from a financial perspective.

They also become detached from the activity of accounts with privileged access – such as CFOs – and miss potential indicators of a security vulnerability, an impending data breach or an inside threat, such as a disgruntled employee.

Likewise, without adequate explanation as to why certain security protocols are in place, the finance function can quickly become frustrated at measures which appear to hinder their job function. They may choose to ignore them, potentially exposing the company even further to the risk of a catastrophic data breach.


Creating a dialogue

Organizations should therefore seek to create a reciprocal dialogue between these core business units, so they understand the implication of security policies on critical business accounts and transactions, and vice versa.

This means encouraging cybersecurity teams to avoid technical jargon and speak to the finance function in a language they understand, so their messages resonate more clearly. CFOs and FDs, in particular, have the best view of the entire threat landscape of their organization, so the security leadership team must be trained to converse with them in a way that provides effective defense against cyber threats.

Doing so will help both business units identify and nullify potential threats to the business – both internal and external – early, helping ring-fence security at the heart of the enterprise and prevent a costly cyber attack.

Taking a security-first approach

But that’s not enough. It’s also about educating your workforce about the implications of a constantly changing digital environment. Almost every company out there has heard the ubiquitous calls for a ‘change of attitude’ to cybersecurity by now. But how can their employees put this new attitude into action without practical guidance?

Aside from cybersecurity awareness training, which should be a requirement for every employee, finance teams must be trained to report potential vulnerabilities and attacks as soon as possible.

Secondly, they should be made to consider the implications of their actions from a cybersecurity perspective. At every turn, they should think how their actions may increase the business’ exposure to attack.

This may require involving the CISO in strategy or business development meetings, for example, as well as in board meetings, so they are aware of recent initiatives and can express their security concerns from a business viewpoint. 

Establishing exposure to risk

Up to now the process of allocating budget to cybersecurity has not been an exact science, and this has created confusion regarding ownership of the function within business. Many businesses operate without measuring their exposure to risk – meaning they don’t know how much it would cost them if a successful cyber attack took place.

According to IBM’s latest cost of data breach study, the average cost of a data breach globally is US$3.62 million – and the size of these breaches is increasing

Given how critical it now is to the financial viability of a business, CFOs and FDs should take the lead and demand a demonstrable measure of their organization’s risk exposure in cyberspace. Not only will this help them secure insurance policies which leave them fully covered in the event of an attack, but it will also to allow them to align the correct amount of budget to cybersecurity spend. 

Cybersecurity can no longer be considered as simply a technological risk. It is now a business-critical risk. According to IBM’s latest cost of data breach study, the average cost of a data breach globally is US$3.62 million – and the size of these breaches is increasing.

A reactive approach simply isn’t sufficient to prevent costly and irrevocable damage to an organization.

It’s widely accepted that the senior finance team should take a leading role in helping their organization implement a robust, pragmatic, and proactive strategy to deal with cyber threats. But this process will only work if finance works together with IT to create a reciprocal dialogue which is understood by both parties, formulate easily navigated frameworks, and educate the entire organization to the scale of its threat landscape.

While no protection against cyber attacks is foolproof – they are becoming more sophisticated every day – these steps are critical to effectively mitigate risk and defend against cyber threats. As Ginni Romety, the CEO of IBM, said: “Cyber crime is the greatest threat to every company in the world.” It’s worth listening to her.

About the Author

Vincent Goh is Vice President, Asia Pacific and Japan, of information security company CyberArk.

Suggested Articles

Some of you might have already been aware of the news that Questex—with the aim to focus on event business—will shut down permanently all media brands in Asia…

Some advice for transitioning into an advisory role

Global risks are intensifying but the collective will to tackle them appears to be lacking. Check out this report for areas of concern