CFOs Don’t Worry Enough About Cyber Risk

dec17-01-748319803-Mitch-Blunt
Mitch Blunt/Getty Images

Every executive team and board of directors is asking themselves the same question in regard to their cyber risk right now: what can we do differently to avoid being the next Equifax, Yahoo! or Target, and protect our shareholder value?

The answer involves radically reframing one of the mainstays of the C-suite — the role of the CFO. It’s no longer adequate or acceptable for CFOs to simply focus on managing the financial risks of a company. In this new era, we need to team up with our CISOs to address the cyber exposure gap, the exposed surface between known threats that are addressed and those that aren’t, either because security tools are inadequate or threats are flying under the radar. The wider the gap, the greater the risk of incidents that can cost millions of dollars in cleanup, lost business, and declining stock value.

CFOs at the most risk-aware companies are applying these strategies.

Partner with your CISO. CFOs need to join forces with CISOs in order to gain an understanding of their company’s security risk and all financial costs associated with it. Right now, there’s a disconnect between most CFOs and security practitioners when it comes to fortifying the company against cyber attacks: recent data shows that 39% of IT practitioners don’t believe their senior management understands the impact a security breach could have on their company’s reputation. By becoming an active member of the security team, rather than just a passive observer, the CFO, along with the CEO and the rest of the C-suite, can significantly reduce revenue leakage through a more focused and effective cyber security technology portfolio. Some CFOs are working with their CISOs and CIOs to actually model their cyber exposure gap. And the most effective partnerships involve weekly cyber exposure reviews.

Create dividends from your security portfolio. While companies’ security spend has increased in recent years, there is still a major under-investment in security. IT budgets are typically 3-7% of a company’s revenue, and security budgets are typically 5% of IT spend.

Insight Center

That said, it pays for CFOs to invest in the security of their company. A 2016 report found that on average over the past two years, firms that invest more in IT security experience 6.8 fewer breaches and save more than $5 million. That said, the explosion of data and connected devices — with IoT and smart devices now numbering 8.2 billion, according to Gartner — are expanding the attack surface for companies that until recently were relatively protected by secured perimeters. These new devices represent a tradeoff between efficiency and risk since they’re largely undetectable by traditional tools. New approaches are needed to deal with the realities of today’s digital business landscapes and evolving threat levels.

It’s critical for CFOs to understand where these new risks lie. We can’t ignore the security budgets and line items like we have in the past; we need to be engaged in the thinking about the strategy for the spend and for dealing with people and processes. We can’t be expected to understand the technology or how it works, but we should understand why it matters, including the role each new investment plays in closing the cyber exposure gap and setting the company up for long-term success. This requires holding our CISOs and CIOs accountable to a diversified IT security investment strategy that aligns with immediate security issues, as well as long-term digital transformation goals. With a better understanding of the cyber exposure gap and the associated financial risks, CFOs, CISOs, and CIOs can ensure that our IT security technology portfolios are built to last. Investing our security budgets in this way will not only improve our overall security posture but create dividends in the long run.

Be accountable for cyber risk. Given the increasingly new relationship between cyber risk and financial risk, the CFO should ultimately be accountable for cyber risk. Breaches result in an average stock price drop of 5%, while average revenue decline is $3.4 million, according to a recent study. And, once the EU’s General Data Protection Regulation (GDPR) comes into force beginning in May 2018, data breaches could lead to fines of up to €20 million, or 4% of global annual turnover for the preceding financial year.

Given the stakes, the CFO cannot do it alone and should partner closely with others who have a clear and vested interest in managing this risk, including the CIO and the CISO. To that end, the most forward-looking CEOs will ultimately consider factoring security measures and successes into the CFO’s bonus and require regular updates given by the CFO and CISO to the board.

The financial and business impact of cyber incidents today requires the CFO to lean into the solution. If we don’t, our customers’ data and trillions of dollars at stake.

Source: Harvard Business Review