You're reading from Building a Cyber Resilient Business A cyber handbook for executives and boards

Product type Paperback

Published in Nov 2022

Publisher Packt

ISBN-13 9781803246482

Length 232 pages

Edition 1st Edition

Concepts

Cybersecurity

Authors (3):

Dr. Magda Lilia Chelly

Hai Tran

Shamane Tan

View More author details

Table of Contents (14) Chapters

Preface

1. Chapter 1: The CEO Cyber Manual

2. Chapter 2: A Modern Cyber-Responsible CFO FREE CHAPTER

3. Chapter 3: The Role of the CRO in Cyber Resilience

4. Chapter 4: Your CIO—Your Cyber Enabler

5. Chapter 5: Working with Your CISO

6. Chapter 6: The Role of the CHRO in Reducing Cyber Risk

7. Chapter 7: The COO and Their Critical Role in Cyber Resilience

8. Chapter 8: The CTO and Security by Design

9. Chapter 9: The CMO and CPO—Convergence Between Privacy and Security

10. Chapter 10: The World of the Board

11. Chapter 11: The Recipe for Building a Strong Security Culture—Bringing It All Together

12. Index

Why subscribe?

13. Other Books You May Enjoy

Defining the CFO’s role in building cyber resilience

Cyber risks are now one of the most troublesome risks for CFOs. The CFO should be able to collaborate with the CISO and fully participate in a robust discussion about cyber risk with the board, the rest of the organization, and external stakeholders and position it as a business and commercial risk, mitigated through a variety of measures, not all of which are technological.

The CFO and the finance department are highly trusted and skilled when it comes to explaining the business reasons behind the financial limits and controls they put in place; thus, they should leverage this to promote cybersecurity. In the case of an attack, the CFO will, understandably, be one of the first to evaluate the possible harm and to lead, with the CEO, both internal and external actions and messages to essential stakeholders.

The CFO can improve an organization’s cyber capabilities—and help fulfill the board and senior management expectations—in crucial ways. We will explore these in the next sections.

Benchmarking cybersecurity budgets

The CFO may assist the CIO and CISO in determining the appropriate cybersecurity budget. Leading CFOs compare their company’s cybersecurity budget to their industry peers. Magda has received continuous requests for benchmarking data from CFOs. The benchmarking requests extended beyond cyber risk mitigation to cover cyber risk transfer. If a CFO sees that the industry average for cybersecurity budgets is 10 percent of the IT budget, and their firm allocates just 1 percent of the IT budget to cybersecurity, it is likely underinvesting.

Benchmarking is a great starting position for the CFO and helps them determine whether they are spending too much or if they are underspending. This will then help adjust the budget before allocation.

Defining cybersecurity spending

The CFO needs to collaborate with the CISO to define fund allocations and spending. An organization must assess whether funds are invested in the right initiatives. This assessment helps evaluate whether the business is spending the correct amount on the proper initiatives, given its cyber risk exposure. There have been situations where companies invested in costly tools while not having cybersecurity fundamentals in place, such as vulnerability management or two-factor authentication for administrative access. Even the best tools are ineffective without basic systems to support them.

“Defining spending” should be renamed “cyber spending allocation,” which talks about smart allocation and how the CFO can help spread and amortize expenditures across multiple budgets, and even allocate percentages of spending from other departments’ budgets to help with security. CFOs are in a unique position to do this because they have a holistic view of the budget. They are also able to evaluate risk and apply it to the allocation of cybersecurity resources as not every department’s needs will be equal.

Supporting cyber-risk quantification

The CFO’s dollars-and-cents attitude is handy for analyzing cyber risks using a quantitative rather than qualitative approach, ensuring that business and risk values are quantified equally. Traditionally, cybersecurity professionals have not quantified cyber risk, presenting it instead using qualitative methods. While helpful, this approach is limited when requiring objective spending assessments and prioritization. While risk management practitioners have used these models for other types of risk for years, they are only now being applied to cybersecurity. Once presented, if the board remains unsatisfied with traditional security reporting, it may look at aligned visibility with other risk types as part of ERM. This requires financial figures and adequate forecasts to support their strategic business decisions. The CFO should provide these insights and help quantify cyber risks in collaboration with the CISO.

Magda has collaborated with forensic accounting professionals who were able to deliver incredible insights by quantifying values based on cyber risk scenarios. For example, they were able to clearly calculate possible financial losses for all types of business interruptions, including profit loss, employees’ overtime, and third-party expenditures, among others. This demonstrates that the CEO and board members can only guarantee that resources are spent efficiently by measuring both the cyber risk and the organization’s risk appetite as the cost of protecting against cyberattacks rises.

Risk quantification is really important and is how the finance team can help the CISO here. If the CISO can identify risks, then the finance team can quantify financial impacts, which helps with prioritization. Risk underpins all decisions made in an organization, and one way to quickly address risk is by transference.

Purchasing cyber insurance

Traditionally, CFOs purchase corporate insurance in collaboration with insurance managers. As with any type of insurance purchased on behalf of the company, they also manage the evaluation and underwriting of cyber insurance and oversee auditing, inventory, testing, and compliance. Insurance is a contract in which an organization receives financial protection or compensation from an insurance firm guaranteed in a policy. Purchasing insurance is a supplement to risk management in terms of safeguarding your company.

As cyberattacks can lead to financial losses, cyber insurance might cover those financial losses, helping with cash flow and liquidity management. A detailed and intelligent risk management strategy considers mitigation and transfers of cyber risk. There is always a residual risk that might materialize, impacting the company’s financial posture. If that risk occurs, the insurance compensates for the damages.

Insurance is an uncommon but important risk tool in the cybersecurity world that helps quickly reduce risk; it does have a direct correlation to the costs incurred by the organization. The downsides of insurance are that it does not cover everything, and insurance companies are starting to reduce the scope of insurance payments. As with the purchase of any policy, strict scrutiny of what is and is not covered must be part of the due diligence process.

Having a solid cyber program to address security hygiene issues will help to reduce insurance premiums, which offers a better ROI than spending on premiums. However, there is still a blind spot for many organizations, one that is often not covered by cyber insurance, and that is third-party risks.

Assessing third-party risks

CFOs are often key players who defines the procurement process. Supply chain risks have increased tremendously, and thus supporting cyber risk assessment procedures undertaken on your vendors and suppliers before working with them should be a priority for the CFO. In some organizations, the CFO owns the third-party risk management function, while in others, this can be shared between the procurement team (finance), risk team (under the CRO), and also the security function (under the CISO).

Cybersecurity budgeting, spending, and risk quantification are all part of the CFO’s responsibilities in building cyber resiliency. Yet identifying and recognizing cyber risk is the role of everyone in the organization. It is, therefore, incumbent upon everyone to communicate those risks effectively. The following section provides tips for communication with your CFO.