Senior executives understand that today’s global economy is still not sufficiently protected against cyber-attacks, despite years of effort and spending in the multi-billion dollar range. Until recently, many chief financial officers (CFOs) may not have understood how to respond to cybersecurity risks and the implications for their organizations. CFOs may not have even been considered an essential part of an organization's security team. But as times have changed, many CFOs are now regularly being called upon to help promote cybersecurity and identify threats.
CFOs have a major role to play in the daily running of an organization. They work directly with financial analysts and have concerns about loss of control over their financial reporting. They are also concerned with the potential loss of funds either through theft or as a direct result of another third party’s misfortune. If you think about it, they have good reason to be alarmed. The information that the CFO controls and works with on a daily basis is some of the most sensitive and important data that can be found within an organization.
The CFO must also understand where information is at all times, how it is secured, who might want to steal it and how they might gain access to it. Perhaps most importantly, the CFO has a duty to provide plain, true and complete disclosure to the board on a wide range of issues, which today, many would argue, should include the potential financial impact of a cyber-attack on the organization.
Cyberspace: Weighing Risk v Reward
Business leaders understand the benefits of cyberspace, yet many are having trouble determining the risk versus the reward. They may not realize that cyberspace confers the same benefits to us as it does to those who attack organizations. Hacker groups, criminal gangs and espionage units have access to powerful, evolving capabilities, which they use to identify, target, and attack. The benefits of cyberspace come with significant risks, and the threat of a cyber-attack should be firmly at the top of the boardroom agenda.
“Organizations will be subjected to cyber-attacks regardless of their best efforts to protect themselves”
Many of the security activities associated with responding to cyber-attacks are based on fundamental information security incident management. However, cybercrime often involves sophisticated, targeted attacks against an organization, and therefore additional security measures may be required to respond to specific attacks.
Cybercrime intelligence relating to the development of attacks should be reviewed by the CFO on a regular basis to determine:
- The extent to which the organization is at risk of attack
- How targeted information could be used by criminals
- The techniques used by criminals to perform cybercrime
Protecting the Organization Against Damage to Brand Reputation
Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous, and pose more risks, to an organization’s reputation. In addition, brand reputation and the trust dynamic that exists amongst suppliers, customers and partners has appeared as a very real target for the cyber-criminal and hacktivist.
With the speed and complexity of the threat landscape changing on a daily basis, all too often we’re seeing businesses being left behind, sometimes in the wake of reputational and financial damage. If (and when) a data breach occurs, it's important to limit its impact, including its impact on the organization’s reputation. CFOs need to ensure they are fully prepared to deal with these ever-emerging challenges by equipping their organizations better to deal with reputational attacks. This may seem obvious, but the faster you can respond to attacks on reputation, the better your outcomes will be.
Organizations Don’t Just Need Cybersecurity, They Need Cyber Resilience
Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any damaging impacts of cyberspace activity.
Cyber resilience anticipates a degree of uncertainty: it’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subjected to cyber-attacks regardless of their best efforts to protect themselves. Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.
While the CFO has not been viewed as a vital member of the security team at most global organizations in the past, these executives play an important role in advocating, and pursuing, critical investments that promote long-term business growth. Given the risks that cybersecurity threats pose in a technology-driven, global economy, today's CFO must focus on cybersecurity and ensure that adequate steps are taken to preserve and protect the company's reputation, stock price and most valuable information.
About the Author
Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cybersecurity, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.