In the second iteration of this series, we talked about the growing cyber-CFO nexus and set forth some critical questions financial executives should be asking to meaningfully advance corporate cybersecurity. But that’s not the end of the conversation.
As cybersecurity becomes a pervasive enterprise risk, regulators are increasingly demanding. With increased oversight, the financial, operational and reputational impacts of breaches are more severe. CFO teams must play concrete roles contributing to the enterprise’s cyber mission.
Role 1: Thoughtful Risk Owner
Cyber risk is embedded in the office of the CFO. Finance teams own and handle some of the corporation’s most sensitive, valuable and lucrative data (e.g. financial statements, strategies, M&A plans). If these are compromised, the business implications can be substantial. Because of this, CFOs need to understand the risk around these ‘crown jewels.’ The question needs to be: What are the cascading effects if cyber attackers get their hands on vital assets?
From there, CFOs should apply an ownership mindset to the risk. While CISO teams are responsible for providing technical safeguards, CFOs have accountability for ensuring those safeguards match the organization’s risk appetite around the finance organization’s critical assets. This risk ownership mindset helps CFOs get skin in the cyber game. And it leads to two realizations – that CFOs need cybersecurity and that CFOs are part of making cyber happen.
Role 2: Budget for a Champion-Skeptic
“Champion-skeptic” may sound like a contradiction, but it isn’t. Cyber leaders are often fighting for budget, struggling to demystify wildly technical requirements, and justifying spend in simple business terms. More often than not, this exhausts finance executives who end up saying “no” – or “yes” – without more than a surface-level understanding of the ask. The champion-skeptic fixes this. The starting point is a mindset of supporting investment in cybersecurity (the champion), even asking CISOs, “Do you have all you need?” or “What more could we do to help you resource your program?” Over time, CFO teams investing in cyber demand rigor, clarity and simplicity in security budget requests will maximize their credibility and impact with the security team and peers.
Role 3: Regulatory Maestro
Cybersecurity regulations are abundant. Large companies report spending 10s of millions of dollars to meet a myriad of regulator requests, with no end in sight. While the Securities and Exchange Commission (SEC) prepares to drop new cyber rules that look like the “Sarbanes Oxley Act (SOX) for cybersecurity,” broad swaths of corporate America will be dialing up more time, attention and money on cyber regulatory compliance.
Enter the CFO. While the legal, regulatory, and compliance teams drive the detailed work, CFOs usually have relationships with the regulators (especially giants such as the SEC). Many CFOs have learned throughout their careers how to navigate and leverage those relationships to ensure that their company keeps up and avoids mishaps; most CISOs and CIOs don’t know how to do this and need help to ensure that their programs meet compliance requirements in a clear, traceable manner. Here, CFOs can help ‘upskill’ security leaders, which ultimately helps keep the company out of regulatory hot water.
Role 4: Executive Example-Setter
This role is by far the most important but also depends on embracing the first three roles. CFOs wield massive organizational influence. Organizations follow and focus on what executives care about. When business unit leaders, regional heads and even the rank-and-file see and hear the CFO focusing on cyber, a strong message takes root: Cybersecurity is important to this company, so I should make it important.
However, CFOs can’t be effective champions or example-setters if they’re not practically versed in cyber, which is why embracing and mastering the first three roles is crucial. Once CFOs thoughtfully own cyber risk and are comfortable debating budget requests and cross-walking spend with risk reduction and in the trenches of cyber regulatory compliance, then they are in the cyber game. This will give them the expertise and comfort to stand out as executive corporate champions for cyber.
CFOs are already sophisticated risk managers. They are the budget owners, are likely adept at regulatory ju-jitsu, and carry countless corporate priorities across the enterprise. What these roles are really about is simple: extending the CFO’s natural strengths and responsibilities to a new functional area – cyber.