How to manages escalating cyber costs when the threats continue to grow?
A perfect storm of competing priorities is colliding as CFOs navigate the increasingly treacherous waters where financial management and cybersecurity meet.
On one front, finance chiefs have long sought ways to rein in ballooning technology budgets, only to see total costs steadily rise thanks to digital transformation and the existential need to protect systems from debilitating cyber attacks.
But even as pressure builds to curtail tech spending by eliminating waste, new disclosure regulations simultaneously require ever tighter collaboration between cybersecurity response teams and financial reporting functions during security incidents.
This mandates expanding the circle of scarce early-stage resources at the very time stretched IT staff face potential cuts.
Now chief financial officers find themselves squeezed between two competing forces – minimizing cyber expenses while keeping investors appropriately informed of cyber risks, all while avoiding duplication between internally focused security teams and externally facing disclosure teams.
Satisfying both obligations requires a balancing act spanning governance, improved processes and cross-functional coordination. Can CFOs drive much needed savings while also elevating transparency? Or does substantively prioritizing one inherently undermine the other?
Recent data from IBM reveals that organisations globally now pay an average of $4.5 million to deal with a data breach, with US organisations incurring more than double the cost at $9.5 million.
This escalating cost is driving CFOs to scrutinize their technology spend, particularly in the area of cybersecurity. PwC’s annual Global Digital Trust Insights Survey further underscores this point, revealing that one in four companies globally have suffered a data breach that cost them between US$1 – 20 million in the past three years.
As a result, the majority of executives surveyed said their organizations are continuing to increase their cyber budgets, with 69% reporting an increase in 2022 and 65% planning to spend more on cyber in 2023.
CFOs have long sought greater visibility into IT budgets and aimed to eliminate excess spending, with cybersecurity clamouring for a disproportionate share of tech investment in recent years.
In fact, research suggests companies now spend over 10% percent of their total technology dollars on cyber defence. But new cybersecurity regulatory requirements and persistent threat risks make arbitrarily slashing these costs unwise.
Nonetheless, opportunities to curtail waste through better prioritization and demand discipline still likely exist, given historic budget growth.
Finding potential cost optimisation openings requires specifying which elements merit continued investment versus those providing marginal value.
For example, next-generation endpoint detection and response solutions leverage advanced behavioural analytics and automation to prevent known attack methods. These represent essential spend for threat surface hardening.
However expenditures funding legacy signature-based antivirus solutions may provide limited additional protection. Eliminating them in favor of more advanced controls demonstrates prudent optimization.
Similarly some industries remain highly vulnerable to attack due to cash transactions or sensitive consumer data, requiring above average cybersecurity budgets relative to sector risk. But other sectors like manufacturing can constrict spending to focus on essential operational technology protections while minimizing general IT defence layers.
Regardless of industry, CFOs must take a data driven assessment, align cybersecurity spend to genuine risk appetite, and underscore investments that move beyond compliance checkboxes to drive substantiated risk reduction.
In addition to managing costs, CFOs are also tasked with ensuring tighter integration of disclosure teams in early-stage cyber-response procedures.
The Securities and Exchange Commission’s new cyber-disclosure rules are pushing CFOs to develop risk and impact assessment approaches for these new cyber threats. This integration is crucial for maintaining transparency and trust with stakeholders.
According to the Global Digital Trust Insights Survey, four in five organisations believe that a comparable and consistent format for mandatory disclosure of cyber incidents is necessary to gain stakeholder confidence and trust.
But historically, cyber response teams have been disconnected from financial reporting functions and disclosure processes. New SEC guidelines demand tighter synchronization of incident handling and disclosure flows to ensure transparency obligations are met responsibly.
This requires CFOs overhaul old assumptions that cybersecurity resides solely within the CISO’s purview while financial reporting remains finance’s exclusive domain. Cyber incidents often have financial implications, while finance teams must have visibility into cyber risks impacting the business. Breaking down outdated organisational silos becomes critical.
Specifically, disclosure and investor relations leaders must participate in key meetings and briefings during the early stages of cybersecurity incident response to fully understand potential business impacts. But this strains already scarce response resources as CISO teams tackle intrusions and simultaneously coordinate mitigation with key business stakeholders. Adding disclosure workstreams compounds demands on these critical staff.
Nonetheless, to satisfy regulatory transparency requirements while also protecting privileged response information until public disclosure, CFOs must ensure integrated processes between cybersecurity and disclosure protocols.
This likely necessitates adding formal cyber education for disclosure team members while proactively preparing graduated incident notification procedures tailored to risk levels.
The path forward lies in greater cross-functional collaboration between domains. But overcoming legacy divides between financial reporting and tech teams remains critical to successfully balancing both cybersecurity cost management and investor disclosure needs.
As cyberthreats accelerate, chief financial officers find themselves pulled between seemingly opposing mandates – curtailing fast-growing cybersecurity costs while also elevating transparency into cyber risks. Navigating this tension zone requires a balancing act spanning governance, process integration and stubbornly persistent organizational divides.
The opportunity exists to eliminate non-essential cybersecurity spend through better prioritisation and demand discipline rather than arbitrary budget cuts. But this requires data-driven assessment of existing controls and targeted programs tailored to genuine sector risks beyond checkbox compliance.
At the same time, prompt and responsible disclosure following cyber incidents has become both a regulatory obligation and reputational necessity in a connected world. But this further strains already maxed-out response teams.
Breaking down historic divides between incident responders and disclosure coordinators lays the groundwork for more integrated cyber-financial flows.
Ultimately cyber resilience and financial stewardship share the common objective of ensuring enterprise stability and longevity. Waste helps no one while transparency builds trust. With care and collaboration, CFOs can champion both — but creative leadership is essential.
By proactively addressing emerging cyber-finance tensions now, CFOs can align priorities across their expanding stakeholder ecosystem to balance indispensable cybersecurity protections with responsible transparency for the digital age ahead.