Cybersecurity is a conversation that needs to be had at the boardroom level, as the impact of a cyberattack can have enormous consequences on customer trust, brand loyalty, and shareholder value. When the CISO starts the conversation, the CFO must be a supporter. Just as finance authority is delegated across an organization, so must cyber resilience. However, cyber risk is more complex than financial risk; one aspect of that complexity is that there are no monetary limits you can establish for who responds to a cyberattack. In other words, everyone needs to have a role and everyone owns a piece of the protection and recovery—and financial losses.
Cybersecurity goes beyond the effectiveness of the right technical controls, such as firewalls and authentication. For too many, a security event is commonly seen as the failure of technical controls, which is why the reported cost of a security breach is often considered as just the cost of the initial impact. Yet that’s only part of the financial picture, and often a small part. What is often forgotten is the aftermath of things such as regulatory fines, lawsuits, and loss of the business’s reputation.
Part of the modern-day CFO’s role is to quantify risks and inspire change by using numbers to tell the story of managing cyber risk. With a focus on data, data, data, undoubtedly the most valuable commodity for any organization, the CFO can ensure it is leveraged and analyzed to help make more efficient business decisions. Cybersecurity is one of those business decisions.
Investments in the right security are required to help protect this data. If a business survives an initial attack, the recovery time can be very long and costly. The CFO must consider data value and cost, including data breach costs, cyberattack costs, cybersecurity return on investment (ROI), prioritization of cyber initiatives, and proper vendor due diligence. The foundational mindset when it comes to cyber resilience should be prevention first. Baseline housekeeping includes running a tight IT function and maintaining patch currency, and basic cybersecurity hygiene can provide enormous benefits at a relatively low cost.
The good thing is that the CFO is not alone in this fight. CISO Rahul Khurana has reported to CIOs and CTOs in some of the organizations where he has worked. Now as the CISO for a global healthcare and defense technology company, he reports directly to the CFO. He shared his experience of being in this different reporting structure:
“Our discussions are very focused on the overall business risk. CFOs have a clear understanding of the business impact of a cyber breach (whether it’s financial, legal, reputation, and so on). It’s all about the impact on revenue. I also have an independent cyber budget; I don’t need to fight for a cyber share under a common enterprise IT budget. It’s easy to talk numbers and return on investment through cost avoidance.
“Every dollar invested in cybersecurity (people/process/technology) that eventuates in reduction of cyber incidents or an overall impact of an incident reflects a return on investment—from a monetary, risk reduction or improved maturity and capability. It makes a big difference to have direct access to the CEO and the board. They are open to innovative ideas and approach when we have a business focus mindset.”
The CFO needs to collaborate with the CISO to navigate investments and costs (such as security controls) and the complexities of financial protection (including reputational loss and lawsuits). It is important for the CFO to clearly understand how to achieve those outcomes to make the right decisions and produce proper financial forecasting. Budgets and investments in cybersecurity increase each year as new threats and defense technologies are created.
CFOs have a unique opportunity to approve funding for security solutions that will help protect a business or supplement (not replace) those solutions with a financial instrument, such as insurance. They also have to avoid overspending on products that prevent the business’s growth in the name of security. The CFO needs to balance between overspending, which leads to a false sense of security, and under financing security initiatives, which can result in a higher risk across the broader infrastructure. CFOs must recognize cybersecurity as an investment to protect against financial losses rather than a burden or expense.
This is only achievable if the CFO understands and clarifies the financial impacts of a cyber event in dollars.
A CFO’s perspective
Wayne Andrews, CFO at the University of Sydney, revealed that his key consideration in planning and budgeting for cybersecurity is to first establish the organization’s risk tolerance: “It is infinitely costly and impossible to eliminate cyber risk entirely, (although CIOs would spend any amount in pursuit of that goal), so the question is how much risk can you tolerate and what it will cost to narrow your exposure to within the tolerable range.”
The risk tolerance discussion focuses on establishing tolerance and understanding the spectrum of risk, making the expenditure level a mere consequence of the process.
Wayne finds it fanciful to attempt a cost-benefit analysis on cyber expenditure because the range of outcomes can be so broad and the consequences of an actual event so large. The absolute numbers are so asymmetrical and the probabilities are very subjective. It can only be done in a meaningful way by narrowing the range of acceptable outcomes and the cost of delivering them.
Wayne concluded, “This is important because if your starting point is to eliminate all risk, you are doomed to fail in that regard and spend much money in the pursuit of failure.”
It is like having an insurance policy and never needing to cash it in. Companies spend a lot of money, but they might not really know the full extent of the cost at the end of the day had they opted out of insurance.
Is there a way to demonstrate the number of near misses or quantify what we have saved ourselves from? Perhaps another way to look at it is by benchmarking against your peer companies cyber resilience and deciding you will be less affected by cyberattacks because you have a more substantial cybersecurity capability.
For most businesses, the objective is to be sustainable and ensure the company has a future. That half a million dollars you spend on cybersecurity risk management becomes your return on the objective. Although it might not necessarily translate to, “I just saved my company $10 million,” efforts need to meet organizational requirements to thrive.
Addressing cyber risk from a complex financial view
Wayne also offers this view: “Can an organization balance some risks against a cyber insurance policy? There is no free lunch in this regard. What insurance can do for you is deliver the funds at short notice to remediate, including ransom payments; however, insurance will not restore your business and reputation, so it is a means of smoothing cash flow rather than eliminating risk. Indeed, you will find yourself uninsurable unless you have a credible cyber risk management program.”
Regulatory compliance is one approach to building a credible cyber program. Some regulations with more comprehensive applications, such as the European General Data Protection Regulation (GDPR), might require a solid focus on potential data breaches. The GDPR has steered the topic of the regulatory necessity of data protection into every business conversation and a notification process that requires a quick turnaround. The fines are massive, and companies cannot afford to be hit by a penalty of millions of dollars.
Payment Card Industry Data Security Standard (PCI DSS) compliance (where applicable to a company) is also another useful scheme to translate security controls into actual monetary fines. PCI DSS is technical in nature and designed to protect financial information. It is in your CFO’s interest to comply with this, as enterprises will need to meet this standard to instill confidence in customers. How is your CFO currently collaborating with your CISO to oversee these compliance and cybersecurity requirements, spending, and potential losses?
We hope it is becoming clearer why the CFO’s role in cybersecurity is important. Next, we go into further detail about the relevance of the CFO’s role in building a resilient cyber-ready business.