With the average cost of a data breach reaching $3.62 million, there's no question that cybersecurity impacts a company's bottom line. The financial burdens of these attacks are leading CFOs, who were not traditionally part of a company's cybersecurity strategy, to step up and take a seat at the table when it comes to assessing and minimizing cyber threats.
"In the last couple of years, cybersecurity has become more of a financial issue, and has a larger financial impact on victims of attacks than previously," said Dustin Driggs, CFO of Barracuda Networks. For example, retail giant Target is set to pay an $18.5 million settlement in the wake of its 2013 hack that impacted more than 41 million customer credit card accounts. And health insurance firm Anthem agreed to settle a class action suit following the 2015 attack on its systems for $115 million.
Further, common cybercriminal attacks such as ransomware and spear phishing often have financial end goals, Driggs said. "Ransomware and spear phishing are purely financial related attacks, and involve giving money to restore your business, or creating fraudulent wire transfers," Driggs said.
And as humans—especially finance teams—are the no. 1 targeted resource within a company when it comes to cyberthreats, the CFO must be aware of all of the potential attack vectors to safeguard the company's assets.
"For any publicly traded company, CFOs have a fiduciary responsibility to care about cybersecurity," said Forrester analyst Jeff Pollard. "In that situation, the CFO is responsible to shareholders, so anything that erodes shareholder value—including a breach of customer data that might bring about legal and investigative costs, or theft of IP that might degrade market positioning or unique differentiators—are issues that corporate officers and directors are responsible for."
Building C-suite relationships
CFOs are entrusted to safeguard the assets of a company, both physical and digital, said Wesley Simpson, COO of ISC(2). "They're equally as important as the CEO, CIO, and even CISO," Simpson said. "I don't think a proper security plan and strategy can exist without them."
Beyond legal or regulatory accountability, relationships between CFOs and CISOs or CIOs are beneficial to both parties, Pollard said. In a cooperative relationship, the CFO can provide guidance to the CISO on the long- and short-term budgeting plans of the business, which can help dictate the choices a CISO makes when selecting technology products or services.
For example, if the CFO works with the CISO to explain that hybrid cloud and Everything as a Service options are growing portions of business unit budgets, the CISO would know that heavy on-premises spending is not the right direction to go in, Pollard said.
"CFOs manage the long and short term financial health of their company," Pollard said. "They can provide insight to the CISO that helps them how to budget, forecast, measure, and optimize the security program so that it fits in with strategic company objectives, but also fits in with the budgeting and plans of other departments inside the organization."
The CISO might be aware of their budget, and might have insight into the CIO's budget, but likely doesn't have insight into the CMO's or the COO's budget, Pollard said. The CFO can help provide that information and facilitate conversations between various leaders so all parties are pointed in the same direction.
Along with information on the latest threats, CFOs can also learn better cyber hygiene processes from the CISO or CIO, Simpson said. For example, just as the IT team may segment their network and give access only to certain users to minimize the potential for a breach, CFOs can do the same on the financial end.
"CFOs can leverage similar capabilities as IT does securing networks in terms of security assets," Simpson said. "The CFO should be working in tandem with other C-suite members to truly understand what the business needs and how they can help protect those processes."
SEE: Information Security Certification Training Bundle (TechRepublic Academy)
Advocating to the board
Typically, the CIO or CISO is concerned with the technical implications of preventing cyber attacks, Driggs said. The CFO can essentially act as a translator to the CEO and board, and describe the risks at a more basic level as well as the potential costs of those risks.
"Bringing cybersecurity up a level to the C-suite and providing it to them in a framework of risk helps them to really put the investments we want to make in the right framework, so they can understand those investments versus the overall compensation structure or the R&D pipeline," Driggs said.
In this way, the CFO can act as a cybersecurity advocate to the board. "If we are hit with a cyber attack or subject to ransomware or fraud, there is certainly a financial impact and a reputation impact and a business continuity impact," Driggs said. "The CIO should view a relationship with the CFO as beneficial to them—they will get an advocate to represent their issues to the board and the C-suite for investments and awareness around the risks they are trying to mitigate for the company."
The board and C-suite ultimately hold the CFO responsible for managing the risks of the company, Driggs said. "It falls on me to make sure I'm understanding all the risks," he added. "Having these high profile attacks like Petya and WannaCry is raising the requirements of the CFO to understand the risks to the company, and help advocate and make the right investment decisions around mitigating those risks."
- Why traveling CEOs and coffee shops are your company's greatest security risks (TechRepublic)
- The cybersecurity landscape according to Carbon Black's CEO (ZDNet)
- Why SMBs are at high risk for ransomware attacks, and how they can protect themselves (TechRepublic)
- The 3 most in-demand cybersecurity jobs of 2017 (TechRepublic)
- Security awareness and training policy (Tech Pro Research)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.