CFO Perspective: Why CFOs Need to Stick Their Noses into Data Security

Cyber-theft of sensitive data continues to boom and affected organizations are scrambling to deal with the consequences. Wendy’s, Verizon Enterprise Solutions, UC Berkeley and even the IRS all fell victim to breaches that exposed personal records that were then sold on the dark web.

IBM’s Cost of Data Breach Study found the average consolidated total cost of a data breach in the United States is $6.5 million. This cost includes direct expenses, such as engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. It also includes indirect costs, such as internal investigations and communication, as well as the extrapolated value of lost business.

As CFOs, we are very aware of the financial damage a breach can inflict on an organization. We have to begin safeguarding our companies’ vital information as we do our companies’ physical assets such as cash and inventory. That is why we are playing a growing role in securing the enterprise’s data.

We can no longer rely solely on our CISOs and CIOs to report on our companies’ cybersecurity initiatives. It’s imperative that we educate ourselves on the cybersecurity risks and threats our companies face because the stakes are higher than ever. This is evident after reviewing the results of a recent Deloitte survey of CFOs at larger enterprises in North America. 97% of them acknowledged that cyberattacks were a major threat to their companies. However only 10% felt they were well prepared for cyber threats and 25% felt they were insufficiently prepared for a cyberattack.

One critical area we can become more involved with is our company’s cyber governance initiatives. Cyber governance, like internal controls in finance, ensures that the organization is appropriately following established standards, regulations and best practices.

Some initiatives to consider include:

• Leading the effort to map current cybersecurity policies and controls to standards such as the NIST Framework for Improving Critical Infrastructure Cybersecurity to identify gaps and weaknesses. Created through collaboration between industry and government, the Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure.
• Reporting to the Board members about the organization’s cybersecurity posture and management’s strategy to address significant gaps and weaknesses. This ensures that everyone is committed to the plan and the appropriate investments are made to safeguard sensitive data.
• Conducting periodic reviews of cybersecurity policies and controls to monitor compliance and effectiveness. This is important because the threats facing our organizations continue to evolve as cyber thieves become more determined to breach our systems. As with other internal controls, automation is key to continuous monitoring and uncovering these threats.

The cybersecurity challenges we face every day compels us to expand our role into cyber governance. Applying our experience to help protect sensitive data will hopefully eliminate any large scale data breaches and the resulting financial and reputational damage.

Click here to learn more about implementing a cyber governance program.