The CFO's critical role in promoting cybersecurity

CFOs may not usually be considered part of a company's security team, but that doesn't mean that they can't help promote cybersecurity and help identify threats

As a steady flow of headlines reinforces with troubling regularity, the importance of cyber security for the world's large businesses cannot be overstated. It was therefore no surprise that at a recent event for Chief Financial Officers hosted by Consero Group, the topic of cyber security captured quite a bit of attention. During one session in particular, Gary Loveland of PricewaterhouseCoopers and Alan Stewart of Epsilon Systems provided a useful cyber security framework for today's Fortune 1000 CFOs.

[Will CSOs become CROs in the future?]

Set forth below are the key elements of this discussion, which provide valuable guidance for any CFO interested in protecting his or her business:

1. Know the threat.

It is important to get a handle on the various actors who pose risk to the business, as they have different interests and capabilities. The obvious categories include simple hackers, organized crime for profit, state-sponsored activities that are harder to detect and typically more sophisticated, and insiders (e.g., disgruntled employees). Only by understanding the differences between these groups can you pursue strategies to combat their efforts.

2. Understand your business.

To defend the business most efficiently, you must have a handle on what information is most valuable to the business and to others, i.e., what are the "crown jewels"? You must also get a handle on where this information is supposed to reside, where it actually resides, who touches it, and how access is managed.

3. Identify the holes in your company's defenses.

At least once a year, conduct a vulnerability or penetration test to see whether any unintended parties can access critical data. A variety of parties can perform effective tests, including both internal and external groups. Just be sure that whoever is chosen performs efforts that are comprehensive and sophisticated enough to uncover the weaknesses that exist in your network.

As CFO, it is your job to ensure that a sufficient investment is made in whatever test is performed. Without sufficiently sophisticated and thorough testing before a breach, you may end up with a much bigger investment in response to a breach.

4. Be proactive to protect the business.

All too often, companies implement measures to prevent cyber attacks in response to a breach. A diligent CFO can save the company the embarrassment and financial impact of that first (or the next) major breach by taking proactive steps in anticipation of targeted attacks. With the ability and resources to perform comprehensive cost-benefit analyses relating to cyber attacks, CFOs may be in the best position to describe and advocate for the data-security investments necessary to protect and monitor their company's data.

While the CFO is typically not considered to be part of the data security team at most global businesses, these executives play a significant role in advocating for and pursuing critical investments that promote long-term business growth. Given the risks that cyber threats pose in a technology driven economy, today's CFO must focus on cybersecurity and ensure that sufficient steps are being taken to preserve and protect the company's most valuable information assets.

Paul Mandell is a Founder and the Chief Executive Officer of Consero, a provider of industry-specific events for senior-level executives in various industries, including legal, compliance, shared services, customer experience, finance, IT, HR, procurement, higher education technology, and brand protection & anti-counterfeiting.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies