You’re the CFO. Your company’s capital structure, the current sentiment of your stakeholders and constantly-evolving economic modeling are all things for you to worry about. You likely know what keeps your fellow executives up at night as well. But what about your organization’s cybersecurity team?
Old-schoolers might consider IT to be just an expensive line item when, in fact, your IT team’s successes and failures impact everything under your purview and beyond. Their nightmares should be your nightmares. Strategic investments, good governance and thoughtful reporting by your security team helps fortify your company’s business resilience, letting you enjoy some peace of mind while avoiding a situation of Equifax proportions.
Customers expect to be able to trust the safety of their private data and financial information within an organization. When any large-scale breach (like Equifax, which lasted from mid-May through July) occurs a considerable amount of that trust is lost, sometimes irrevocably.
But bigger than putting a dent in brand reputation, cyberattacks and data breaches can measurably affect an organization’s bottom line. As of mid-September, Equifax’s stock prices had slid 18%. And it’s not likely to be temporary. A study done in April by IT consultant CGI and Oxford Economics concluded that severe breaches caused share prices to fall an average of 1.8% on a permanent basis.
Cyber threats aren’t going anywhere and you can’t have a complete picture of risk if you don’t understand your organization’s security stance. If the CFO doesn’t work closely with security colleagues, cybersecurity investments will not be aligned to business objectives, and may fail to protect the company’s most vital assets and mitigate the risks that carry the highest damage potential.
A McKinsey-World Economic Forum study of cybersecurity risk management practices found that “Senior-management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risks—more important than company size, sector and resources provided.”
Cybersecurity performance and ROI can’t be measured the same way that revenue and operating costs can. This may make CFOs uncomfortable, but it’s high time our financial executives get involved and find better ways to assess and optimize cybersecurity spending. In the ongoing, dynamic arc of digital transformation, there will always be trade-offs between security and innovation, but we can’t forge ahead blindly in the name of growth.
Michael Siegel, a principal research scientist at MIT, calls the failure to continuously review and address known vulnerabilities the “inverse ROI of not doing cybersecurity.” The consequences of holding on too long to unpatched legacy systems were made painfully clear by the aforementioned Equifax breach and WannaCry scourge; the costs of downtime, lost intellectual property and undermined trust with customers and partners add up quickly.
Security is a moving target, but most vulnerabilities are known. Spending big on defending against zero-day attacks (which are relatively rare) usually means you’re neglecting a growing gap somewhere else. Trying to keep up with application patching can seem nearly impossible, especially if your company doesn’t have a Fortune 500-level cyber budget. Web applications attacks are still in Verizon’s DBIR top nine threat patterns, and were the primary cause of data breaches in 2016.
CFOs [whom are] aware of the labor and productivity costs associated with traditional patching methods rightly shudder at the enormity of the task. We must move toward more expansive, automated and constantly-refreshed solutions.
As a CFO, do you know enough about application security to envision the cost savings, resilience and risk reduction such solutions enable? This is why it’s so important for the CTO/CSO and CFO to collaborate directly—if your security team proposes making a new investment in a cheaper, better approach, will you back them up or miss the boat?
We’ve tried the strategy of spending untold billions on cybersecurity programs, yet breaches and attacks only increase and intensify. Additional investments in cybersecurity should be based on thorough assessments of risks specific to the business, impacts on end-users, effects on products and services, and the costs associated with implementing and maintaining the given security solution.
From the top down, from product development to public relations to human resources, cybersecurity should be considered in every major decision process. A damaging data breach does more than compromise the private data belonging to your customers and organization—it takes a serious toll on your organization’s reputation.
Security failures should be everyone’s nightmare, and therefore, cybersecurity is everyone’s responsibility. As we’ve seen following the Equifax breach, serious financial repercussions can be felt. And make no mistake: There will be breaches in the future.
CFOs are in a prime position to help build a culture of security throughout an organization by emphasizing its importance to the bottom line, business continuity, competitive advantage, and brand reputation. Trust in the digital economy is critical. Trust between CFOs and security leaders is an important and fruitful place to start—and a way to guarantee strong bonds between a business, its shareholders and its customers.