[BreachExchange] Cyber risk - from the CFO's point of view

Audrey McNeil audrey at riskbasedsecurity.com
Fri Nov 3 14:18:05 EDT 2017


https://cio.economictimes.indiatimes.com/tech-talk/
cyber-risk-from-the-cfo-s-point-of-view/2677


‘Security’ and ‘Risk’ are the most widely discussed topics when it comes to
cybersecurity. But for FDs and CFOs even that is changing and everything
sums up to just one factor: risk. It becomes their responsibility to be
aware of the financial repercussions of every single risk an organisation
takes and their approach to models which precisely demonstrate their
exposure to risk in cyberspace, both from internal and external threats.

Ignorance isn’t bliss
Though cybersecurity is a topic of major concern across the globe, it is
still largely misunderstood at board level. Whilst CISOs are enthusiastic
to talk about their most recent cybersecurity initiatives during the last
minutes of a board meeting, it is not a top-of-the-agenda item that is
acted on in most instances. The rest of the people on the board do not
use/understand the same technical language. CFOs require things to be
explained in a way which easily translates into their risk modelling
frameworks.

This leaves us at a bit of an impasse. Cybersecurity teams are continuously
engrossed in defending their organisation from cyberattacks. In the
process, they can become aloof from the wider organisation and the
implications their initiatives may have on their colleagues, particularly
from a financial perspective. They can also become detached from the
activity of accounts with privileged access – such as CFOs – and miss
potential indicators of a security vulnerability, an impending data breach
or an inside threat, such as that from a disgruntled employee.

Similarly, introducing certain security protocols without adequate
explanation disappoints the finance function. These then appear as measures
which cause hindrance in their job function and, as a result, choose to
ignore them. Thus, they become exposed to a potential risk of a data breach.

Creating a dialogue
It is therefore imperative for organisations to have a dialogue between the
core business units, so that they understand the implication of security
policies on critical business accounts and transactions, and vice versa.
The recommended approach would be to start by encouraging cybersecurity
teams to avoid technical jargon, instead speaking to the finance function
in a language they understand, so that their messages resonate more clearly.

CFOs and FDs in particular have the best view of the entire threat
landscape of their organisation. These functions can train the security
leadership team to converse in a way that will help provide effective
protection against cyberthreats. Doing so will help both business units
identify and nullify potential threats to the business – both internal and
external – early, ring-fencing security at the heart of the enterprise and
helping prevent a costly cyberattack.

Taking a security-first approach to the enterprise
But it does not stop here. The next step is educating the workforce about
the implications of a constantly-changing digital environment. Almost every
company out there has heard the ubiquitous calls for a ‘change of attitude’
to cybersecurity by now but, the question is how can their employees put
this new attitude into action without practical guidance?

Besides cybersecurity awareness training, which is a must for every
employee within the organisation, finance teams should also be trained to
report potential vulnerabilities and attacks. Secondly, implications of the
actions from a cybersecurity perspective should be considered in the light
of how they may increase the business’s exposure to any such attacks. This
may require involving the CISO in strategy, business development meetings,
as well as board meetings, so that they are aware of recent initiatives and
can express their security concerns from a business viewpoint.

Establishing exposure to risk
Allocation of cybersecurity budget is not a systematic process as yet,
which creates confusion regarding ownership of the function within the
organisation. Many businesses operate without measuring their exposure to
risk – not knowing the cost related to cyberattacks. Considering the
situation, CFOs and FDs should take the lead and demand a demonstrable
measure of their organisation’s risk exposure in cyberspace. This will not
only help them secure insurance policies which leave them fully covered in
the event of an attack, but also allow them to assign the right budget to
cybersecurity spend.

Cyberattack is no longer considered a technological risk but a
business-critical risk. According to IBM’s latest cost of data breach
study, the average cost of a data breach globally is $3.62 million – and
the size of these breaches is increasing. A reactive approach isn’t
sufficient to prevent costly and irrevocable damage to an organisation, and
it’s widely accepted that the senior finance team should take a leading
role in helping the organisation implement a robust, pragmatic, and
proactive strategy to deal with cyber-threats.

This process will only work if the two critical business functions work
together to create a reciprocal dialogue which is understood by both
parties, formulate easily navigated frameworks, and educate the entire
organisation to the scale of its threat landscape. While no protection
against cyberattacks is fool-proof, they are becoming more sophisticated
every day – these steps are critical to effectively mitigate risk and
defend against cyber threats.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171103/a06b71f5/attachment.html>


More information about the BreachExchange mailing list