Cyber risk – speaking the language of the CFO

By David Higgins, Director of Customer Development EMEA, CyberArk

In the traditional realms of cyber security, ‘security’ and ‘risk’ are always the predominant topics of conversation. But for FDs and CFOs it’s even more reductive than that – everything boils down to one factor: risk. It’s their job to be aware of the financial repercussions of every single risk an organisation takes and their approach to cyber security is no different. They want models which specifically demonstrate their exposure to risk in cyberspace, both from internal and external threats.

We constantly hear that cyber security should be a boardroom topic – and in most cases it is. But it’s largely a futile exercise at the moment. CISOs go into the last five minutes of a board meeting to outline their most recent cyber security initiatives, but no-one listens. Why? Because the board doesn’t speak the same technical language. CFOs need things explained in a way which easily translates into their risk modelling frameworks.

This leaves us at a bit of an impasse. Cyber security teams, constantly focused on defending their organisation in cyber space, become isolated from the wider organisation and the implications their initiatives may have on their colleagues, particularly from a financial perspective. They also become detached from the activity of accounts with privileged access – such as CFOs – and miss potential indicators of a security vulnerability, an impending data breach or an inside threat, such as a disgruntled employee.

Likewise, without adequate explanation as to why certain security protocols are in place, the finance function can become quickly become frustrated at measures which appear to hinder their job function and choose to ignore them, potentially exposing them even further to the risk of a catastrophic data breach.

Creating a dialogue

Organisations should therefore seek to create a reciprocal dialogue between these core business units, so they understand the implication of security policies on critical business accounts and transactions, and vice versa. This comes from encouraging cyber security teams to avoid technical jargon and speak to the finance function in a language they understand, so their messages resonate more clearly. CFOs and FDs in particular have the best view of the entire threat landscape of their organisation, so must train their security leadership team to converse with them in the way they want to provide effective defence against cyber threats. Doing so will help both business units identify and nullify potential threats to the business – both internal and external – early, helping ringfence security at the heart of the enterprise and prevent a costly cyber attack.

Taking a security-first approach to the enterprise

But that’s not enough. It’s also about educating your workforce to about the implications of a constantly-changing digital environment. Almost every company out there has heard the ubiquitous calls for a ‘change of attitude’ to cyber security by now, but how can their employees put this new attitude into action without practical guidance?

Aside from cyber security awareness training, which should be a requirement for every employee within the organisation, finance teams must firstly be trained to report potential vulnerabilities and attacks as soon as possible, and secondly consider the implications of their actions from a cybersecurity perspective; at every turn they should think how their actions may increase the business’ exposure to attack. This may require involving the CISO in strategy or business development meetings for example, as well as board meetings, so they are aware of recent initiatives and can express their security concerns from a business viewpoint.

Establishing exposure to risk

Up to now the process of allocating budget to cyber security has not been an exact science, and this has created confusion regarding ownership of the function within business. Many businesses operate without measuring their exposure to risk – meaning they don’t know how much it would cost them if a successful cyber attack took place. Given how critical it now is to the financial viability of a business, CFOs and FDs should take the lead and demand a demonstrable measure of their organisation’s risk exposure in cyberspace. Not only will this help them secure insurance policies which leave them fully covered in the event of an attack, but it will also to allow them to align the correct amount of budget to cybersecurity spend.

Cyber security can no longer be considered as simply a technological risk – it is now a business-critical risk. According to IBM’s latest cost of data breach study, the average cost of a data breach globally is $3.62 million – and the size of these breaches is increasing.[1] A reactive approach simply isn’t sufficient to prevent costly and irrevocable damage to an organisation, and it’s widely accepted that the senior finance team should take a leading role in helping their organisation implement a robust, pragmatic, and proactive strategy to deal with cyber threats.

This process will only work if the two critical business functions work together to create a reciprocal dialogue which is understood by both parties, formulate easily navigated frameworks, and educate the entire organisation to the scale of its threat landscape. While no protection against cyber attacks is foolproof – they are becoming more sophisticated every day – these steps are critical to effectively mitigate risk and defend against cyber threats. After all, as Ginni Romety, the CEO of IBM, said: “Cyber crime is the greatest threat to every company in the world”. So it’s worth listening.

[1] https://www.ibm.com/security/data-breach/