The CFO’s Role in Cyber Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://ww2.cfo.com/accounting-tax/2015/03/cfos-role-cyber-security/

The importance of cyber security is no secret to anyone who watches the
nightly news. Senior executives at businesses of all sizes understand all
too well that today’s global economy is still not adequately protected
against cyberattacks, despite years of effort and spending in the
multi-billion dollar range each year. But until recently, many CFOs may not
have been considered an integral part of an organization’s security team or
understood how to respond to security risks and the implications for their
organizations. But times have changed and many CFOs are being called upon
to help promote cyber security and identify threats.

CFOs have a major role to play in the daily running of an organization. For
starters, they work directly with financial analysts and have concerns over
loss of control over their financial reporting. Of course they are also
concerned with the potential loss of funds either through good,
old-fashioned theft or as a direct result of another third party’s
misfortune.

If you think about it, finance chiefs have good reason to be concerned. The
information that the CFO controls and works with on a daily basis is some
of the most sensitive and important that can be found in an organization.
The CFO must understand where the information is at all times, how it’s
secured, who might want to steal it, and how hackers might gain access to
it. Perhaps most importantly, the CFO has a duty to provide plain, true,
and complete disclosure to the board on a wide range of issues. Today, many
would argue that they should include the potential impact of cyberattack on
the financial standing of the organization.

The cost of a cyber-attack, whether it’s financial or reputational, can be
astounding. For CFOs, information security must become a top priority in
defending their organization’s future. According to Deloitte’s
third-quarter 2014 CFO Signals™ survey, North American CFOs view
cybersecurity as a high priority, but there are certainly concerns about
implementation of information security plans.

Overall, 74% of 103 CFOs said cyber security is a top priority, while only
6% of those surveyed do not view it as a high priority. Obviously, security
threats will continue to be a major business disrupter. This is confirmed
by the finding that more than half of CFOs surveyed cited anxieties about
security of data, intellectual property, and facilities.

Risk vs. Reward

Business leaders recognize the enormous benefits of cyberspace, yet many
are having difficulty determining the risk versus the reward. The benefits
of cyberspace come with significant risks, and the threat of cyberattack is
firmly at the top of the board agenda.

While organizations are exploiting the business benefits of cyberspace,
they may not realize that it confers the same benefits to those who attack
those organizations. Hacker groups, criminal organizations, and espionage
units worldwide have access to powerful, evolving capabilities, which they
use to identify, target, and attack.

Many of the security activities associated with cybercrime are based on
fundamental information security incident management, and are covered under
such topics as information security incident management and forensic
investigations. But cybercrime often involves sophisticated, targeted
attacks against an organization and, as such, additional security measures
may be required to respond to specific cybercrime-related attacks.

Cybercrime-related intelligence relating to the development of attacks
should be reviewed by the CFO on a regular basis to determine:

The extent to which the organization is at risk of a cybercrime-related
attack.
How targeted information could be used by criminals.
The techniques used by criminals to perform cybercrime-related attacks.

Damage to Brand Reputation

Attackers have become more organized, attacks have become more
sophisticated, and all threats are more dangerous and pose more risks to an
organization’s reputation. In addition, brand reputation and the trust
dynamic that exists among suppliers, customers and partners have appeared
as very real targets for the cybercriminal and hacktivist.

With the speed and complexity of the threat landscape changing on a daily
basis, all too often we’re seeing businesses being left behind, sometimes
in the wake of reputational and financial damage. When a data breach
occurs, it’s important to limit its impact and the potential impact on the
organization’s reputation. CFOs need to ensure they are fully prepared to
deal with these ever-emerging challenges by equipping their organizations
better to deal with attacks on their reputations. And the faster you can
respond to these attacks on reputation, the better your outcomes will be.

> From Employee Awareness to Embedded Behavior

Organizations continue to heavily invest in developing human capital. The
implicit idea behind this is that awareness and training always delivers
some kind of value with no need to prove it – employee satisfaction was
considered enough. This is no longer the case.

Today’s CFOs demand return on investment forecasts for the projects they
have to choose among and awareness and training are no exception.
Evaluating and demonstrating their value is becoming a business imperative.

Finance chiefs understand that spending a small amount up front could very
well save the organization a great deal in the event a breach occurs.
Unfortunately, there’s no single process or method for introducing
information security behavior change. That’s because organizations vary so
widely in their demographics, experiences, achievements, and goals.

The time is right, and the opportunity to shift from awareness to tangible
behaviors has never been greater. CFOs have become more cyber-savvy, and
regulators and stakeholders continually push for stronger governance,
particularly in the area of risk management. Moving to behavior change will
provide the chief information security officer with the ammunition needed
to provide positive answers to questions that are likely to be posed by the
CFO and other members of the senior management team.

Do I Really Need Cyber Insurance?

Of the 970 financial professionals who attended the AFP conference in
Washington last November, and responded to a survey, 62% said that their
organization has been subject to either an actual or attempted cyber-attack
at least once over the past year. Only 15% of financial professionals
responding to the survey said their companies have upped the amount of
cyber insurance carried. Is cyber insurance necessary?

Privacy exposure has been a key motivator for some organizations to
purchase cyber insurance. Others are motivated by growing regulatory
exposure. It’s no longer just the organizations that we’ve traditionally
focused on, including financial institutions, retail, health care, and
higher education. Those industries have been buying insurance for a long
time. The health care industry has been a particularly large buyer of cyber
insurance, stemming from the enormous volumes of customer data health care
outfits must handle. I’m also seeing players in a number of new industries,
such as manufacturing and supply chain, who are purchasing cyber insurance
because of regulatory concerns.

But remember: cyber insurance is no replacement for sound cyber security
and cyber- resilience practices. On the contrary, well-resourced compliance
practices can often positively reduce the associated premiums for cyber
insurance.  Further, finance chiefs need to look very carefully at the
small print – many policies don’t cover state-sponsored attacks and may not
provide you with the full financial cover that you would wish.

 Is Cyber Security Enough?

Far too often, organizations implement measures to prevent cyberattacks in
response to a data breach. A meticulous CFO can save the company the
embarrassment and financial impact of a major breach by taking proactive
steps in anticipation of targeted attacks. Companies should take the time
to develop a data breach response program. The must also rehearse various
scenarios before an incident occurs.

But establishing cyber security alone is not enough.

Today, risk management largely focuses on achieving security through the
management and control of known risks. The rapid evolution of opportunities
and risks in cyberspace is outpacing this approach and it no longer
provides the required protection. Organizations must extend risk management
to include risk resilience, in order to manage, respond. and mitigate any
damaging impacts of cyberspace activity.

Cyber resilience anticipates a degree of uncertainty. It’s difficult to
undertake completely comprehensive risk assessments about participation in
cyberspace. Cyber resilience also recognizes the challenges in keeping pace
with, or anticipating, the increasingly sophisticated threats from malspace.

It encompasses the need for a prepared and comprehensive rapid-response
capability. That’s necessary because organizations will be subject to
cyberattacks regardless of their best efforts to protect themselves. Above
all, cyber resilience is about ensuring the sustainability and success of
an organization, even when it has been subjected to the almost inevitable
attack.

In the past, while the CFO has not been viewed as a vital member of the
security team at most global organizations, they play a significant role in
advocating for and pursuing critical investments that promote long-term
business growth. Given the risks that cyber security threats pose in a
technology-driven, global economy, today’s CFO must focus on cyber security
to ensure that adequate steps are taken to preserve and protect the
company’s reputation, stock price, and most valuable information properties.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!