CFOs: A major contributor to lowering organisational risk

CFOs play a critical role in developing and enforcing cybersecurity policies and the more closely they can partner with the chief information security officer (CISO), the more successful the organisation’s strategy will be.

All too often, CFOs are siloed from their organisation’s cybersecurity strategy. In fact, a recent study found that 57% of CFOs report their company has suffered a ransomware attack, but only 12% are actively involved in determining the risk and protecting their organisation from such threats.

Through collaboration, CFOs who can help manage increased security risks, measure the ROI of security plans, and communicate with C-suite peers on the effectiveness of IT investments improve outcomes.

This requires that CFOs learn to ‘speak the same language’ as their peers and pinpoint the delicate balance between technical and financial needs. The output boils down to answering one simple question – what is the overall impact on the business and what is our acceptable risk level?

Here are three best practices to help CFOs form a crucial alliance with CISOs:

1. Understand the current landscape and security investments

Before serving as a strategic partner to security leads, it’s important to understand how the current threat landscape can impact the business to effectively balance risk and exposure with revenue and reward, which is where the CFO can best advise the CISO.

The advent of generative AI, like ChatGPT, has the potential to increase attacks to a velocity never before witnessed in the industry.

With 70% of security leaders already claiming the volume of daily security alerts has more than doubled in the past five years, and 93% admitting they cannot address all alerts in the same day, generative AI-based threats only add to the chaos.

Legacy security tools already struggle to stop zero-day and ransomware threats, and are not equipped to properly defend against an increased level of unknown attacks.

A CFO can play a major role in helping cybersecurity teams enable the business by right-sizing security spending and holding security teams accountable for the effectiveness and use of the security tools in their arsenal.

Analysis of the tools that could be outdated, underutilised, or just create noise is an area the CFO can lend a hand and determine if investment elsewhere is needed.

2. Keep up with evolving mandates

Legislative regulations and industry mandates can be a hinderance to productivity but serve an important purpose to protect organisations and their customers.

The CFO’s mission to ensure an organisation is fiscally responsible and secure can be helped by meeting compliance requirements. It is important for the CFO to work with the CISO to understand which regulations must be met and how they can avoid costly violations.

As a CFO, it’s also important to keep up when regulations change and when a new requirement arises. For example, all public companies must report and disclose security breaches to the Securities and Exchange Commission (SEC), requiring business leaders to quickly disclose incidents, risk management policies, and oversight at the board of director level.

As the SEC requirements continue to change, CFOs must collaborate with CISOs (and other compliance leaders) to understand how the organisation is meeting the regulations, and what may be an area of non-compliance. This, then better informs CFOs of where the organisation should invest in cybersecurity.

3. Adopt a prevention-first mindset

New technology is entering the enterprise at record speeds. There is the emergence of the cloud, applications, containerisation and more, which all come with immense scale. This makes it more imperative than ever for everyone in the organisation to understand that security is a shared responsibility.

For the C-suite, playing a leadership role to better secure the organisation requires adopting a prevention-first mindset. All too often, organisations are in a reactive mode, waiting to see malware behaviour before they can stop the threat.

CFOs should be hyper-aware of how an organisation can become more proactive and focus on prevention to fight against financial loss from an attack. Working with security leaders, CFOs should have a voice to ensure that the tools and services in the company’s arsenal enable prevention.

A prevention-first approach can also improve the efficiency of security operations teams, lower costs of response and remediation while ensuring the security teams can focus on the most critical threats. The downstream cost savings from preventing threats before they can enter an environment are significant to warrant a CFO’s attention.

With these best practices in place, CFOs can build a solid foundation of cybersecurity awareness which will only strengthen their relationship with the CISO. Ultimately, the goal of these senior executives is mutual – working together to secure the business and lower risk, improving business continuity and stability.

Carl Froggett is CIO of Deep Instinct and former head of Global Infrastructure Defense, CISO Cybersecurity Services at Citi.

Comments are closed.