There’s no doubt that cybersecurity is now on the CFO agenda. In part one of this series, we discussed the financial impact of poor cybersecurity, the emergence of cyber as a basic corporate leadership competency and the importance of measuring and managing cyber spending. So, what do today’s CFOs need to know and ask about cybersecurity?
Question 1: What Are My Business Risks?
This is a question the CFO can ask – and help answer. Good cybersecurity is threat and risk-based. That means the ‘what’ and ‘how’ of cyber are connected to a clear ‘why.’ In this case, the why is the specific risks to the business of a cyber-attack. What data and systems, if compromised, would cause the worst business impact? What consequences of an attack (e.g., reputational, regulatory, financial, safety) would be most damaging to the company overall?
This question is important for CFOs and non-technical executives because it creates context and grounding for everything about cyber. Unless (and until) executives are anchored in actual cyber risks to the business, cybersecurity discussions in the C-suite and board will drift through abstract technical details.
Question 2: What Are My Mandates, and Are We Meeting Them?
Cyber regulations and mandates are exploding, including from financial-focused regulators and agencies such as the SEC and NYDFS. Cyber incidents must be reported on 10Ks, and the OCFO is often pulled into conversations with regulators. CFOs must ask their CISOs, CIOs and compliance leaders questions like: What cyber mandates do we have to meet? Are we meeting them? What exactly are we reporting to regulators and what are the financial impacts of inaccurate reporting or outright non-compliance?
Question 3: Is Our Spend Right-Sized and Effective?
This is not a cost-cutting question. All CFOs should understand that cyber is no longer a cost center but an enabler and guarantor of the business. That said, security organizations tend to spend as they try to keep up with ever-evolving threats and new security tools and products as they come to market. As such, CFOs play a crucial role in stress-testing and helping to right-size security spending.
To do this, CFOs should take what they know from the first two questions – an understanding of real cyber risks and clarity around mandates – and require CISOs and CIOs to show how actual and proposed spending buys down those risks and fulfills regulatory compliance mandates. Beware of decontextualized control maturity gap assessments, requests to buy more “industry-leading” cyber tools or incomprehensible cyber budget line items. One or more of these should tell a CFO that security spend may not be directly tied to real-world threats, risks and requirements.
But when CISOs and CIOs have done their homework – and can directly link proposed investment to real risk reduction – CFOs must be advocates and champions. Don’t be the CFO who denies thoughtful cyber budget requests only to later see the security team overworked, underequipped and under siege by cyber threats.
Question 4: Can We Respond and Recover?
Every executive leader and board member should be asking this question – and demanding evidence to support a “yes.” This starts with incident response policies, plans and playbooks, which should be tested at a minimum annually via tabletops. If the CFO hasn’t seen or been invited to one of these tabletops, that may be a warning sign that the company is not sufficiently rigorous or methodical in testing its response to a cyber incident.
CFOs should also ask about their role in broader business continuity and disaster recovery plans. They should also be seeking clarity on cyber insurance. Does the company have it? Is it a standalone policy? What are the features and exclusions? Who will help with insurance recovery if there’s a conflict on a claim?
Question 5: What is a Good Mental Model to Make Sense of Cybersecurity?
Cyber, like corporate finance and accounting, can be complicated, nuanced, jargon-laden and inaccessible. Given this, it’s too easy for a CFO to say, “This is too hard.” The CFO, the CIO and the CISO’s worlds must come together. As the (usually) more senior executive, it is necessary that the CISO begins this process.
What is the best thing that a CFO can do? Call the CISO and say, “Explain your world to me on one page. Give me a simple mental model to understand what you do.” This shows interest, invites the CISO to the table, and, most importantly, forces the CISO to simplify. The goal here is to get the CISO to share a useful – not perfect – framework for demystifying cyber.