CFOs traditionally have not played a significant role in enterprise cybersecurity operations. The subject has generally been approached as a technology issue rather than a business one, and finance leaders have not always understood why they are funding particular security initiatives.
Today, technology is integrated into all areas of the business and increases companies’ exposure to digital security disruptions. So CFOs need to better understand how potential cybersecurity investments would reduce risk for explicit business cases where the potential loss to the company due to a security incident is significant. They need a stronger grasp of the issue to fulfil their governance and fiduciary responsibilities to the organisation, including accountability for EU General Data Protection Regulation compliance.
“Cyber is all about protecting the entire asset base of the company and managing risk appropriately — that is not just a technology issue,” said Steve Durbin, managing director of the Information Security Forum (ISF), an independent, not-for-profit organisation headquartered in London.
Data loss and breaches affect shareholder value and the ability of the business to deliver on its strategic goals. Cyber risk has reached the point of such material impact on the company’s bottom line and financial stability that CFOs must bring some of the rigour of running a firm’s finances to cybersecurity initiatives.
“With the increase in the size and reach of the enterprise landscape, third-party providers, IoT, cloud, and 5G technology all adding to the volume and velocity of data creation and sharing, it has never been more important to have a sound and robust cyber resilience strategy that is appropriately funded, managed, and monitored,” Durbin said.
The business language of security. That does not mean that CFOs need to become experts in the intricacies of endpoint detection and response or micro-segmentation. It is better if cybersecurity experts can speak to them in the language of business. Explaining how IT infrastructure connects to critical business processes — reconciliation, underwriting, etc. — makes it easier for CFOs to understand the impact of not addressing vulnerabilities so that they can make informed assessments about risk defences, according to Jack Freund, director of risk science at software vendor RiskLens.
Risk, he said, is about looking into the future and asking, “If a security breach happens here, what could the effect on the business be?” The business can comprehend that a particular breach could result in a loss of millions of dollars, for example.
The Factor Analysis of Information Risk (FAIR) model, a standard risk taxonomy and quantification model by global standards consortium The Open Group, provides a framework to express risk in financial terms. “The FAIR framework lets us think about risk in terms of the range of loss,” said Freund, who co-authored the book Measuring and Managing Information Risk: A FAIR Approach. “That lets [security professionals] hook into the accountancy function.”
Using well-scoped loss scenarios ensures that the underlying complexity and context of risk is not discounted, Durbin said. “It helps prioritise those risks that require attention.” Traditionally, cyber risk has been assessed in a qualitative manner, and often this has made justifying cyber-related spend problematic, he said. But there is increasing interest in using quantitative assessments.
“The ISF’s quantitative techniques in information risk analysis and others are making their way into security departments and boardrooms,” Durbin said. “The CFO is beginning to assemble the necessary information required to make sound judgements on return on investment for cyber projects.”
Security on the balance sheet. Steve Livingston, cyber principal for Deloitte Risk and Financial Advisory, discusses the idea of measuring risk in a meaningful way by developing cybersecurity balance sheets that are akin to financial statements. “For financial reports you do a consolidation process, and all the information from sales and HR and other systems is put together, and then you have a financial statement,” he said.
“You can do the same thing with cybersecurity where a hundred or more systems are producing different types of data,” said Livingston. “Consolidate that and apply it against a generally accepted cybersecurity framework.”
“Now the chief information security officer [CISO] can sit down with the CFO with one page and say, ‘Here are the lines of business, and here are the most-risky items,’” Livingston said. For example, CFOs can see on the financial statement that cybersecurity costs were high in a particular region, and the CISO can drill down on the cybersecurity statement to explain why. Having that data can help CFOs make choices about allocating funds to address that risk; they can follow up on the next quarter’s balance sheets to learn whether the efforts made were successful.
Ultimately, there is no way to completely secure an organisation. CFOs have to make the hard choices about where to put their money, knowing there’s always going to be a risk somewhere.
“Regular cyber and information risk audits should become the norm in the same way as financial audit has become a mandatory requirement,” said Durbin.
— Jennifer Zaino is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.