Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Building a Cyber Resilient Business
Building a Cyber Resilient Business

Building a Cyber Resilient Business: A cyber handbook for executives and boards

Arrow left icon
Profile Icon Dr. Magda Lilia Chelly Profile Icon Tran Profile Icon Hai Tran Profile Icon Shamane Tan
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Full star icon 5 (5 Ratings)
Paperback Nov 2022 232 pages 1st Edition
eBook
$29.99 $43.99
Paperback
$54.99
Audiobook
$48.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Dr. Magda Lilia Chelly Profile Icon Tran Profile Icon Hai Tran Profile Icon Shamane Tan
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Full star icon 5 (5 Ratings)
Paperback Nov 2022 232 pages 1st Edition
eBook
$29.99 $43.99
Paperback
$54.99
Audiobook
$48.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$29.99 $43.99
Paperback
$54.99
Audiobook
$48.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Building a Cyber Resilient Business

A Modern Cyber-Responsible CFO

A Chief Financial Officer (CFO) is the senior executive in charge of a company’s financial operations. A traditional CFO will typically act as a financial controller, which is more detail-oriented, and even if they are not from a financial background, they manage just the numbers and focus on transactions. A more modern CFO will be very forward-thinking. They manage risks and the future of the business.

While the Chief Executive Officer (CEO) sets the direction, culture, and budget for the company, the CFO is the agent of change, supporting that direction, implementing the company culture, and preparing the budget for the CEO.

Enterprise Risk Management (ERM) is a strategy across an enterprise, designed to identify potential events that may affect the company’s finances, operations, and objectives and keep risk within the parameters of the company’s risk appetite. The CEO’s commitment and that of every management team member, including the CFO, are critical to the success of ERM adoption and execution.

The executive team’s contributions, particularly in risk management, are required to meet the organization’s strategic goals. Nowadays, this requires considering cyber risk and integrating it into ERM.

The CFO’s job description is straightforward: cash flow management, financial planning, and financial reporting. Furthermore, their responsibilities include determining the firm’s financial capability and taking remedial actions to effectively and efficiently manage the firm’s risk. Each company has its own set of financial modules, and ERM is implemented using these modules. ERM can be an important tool for the CFO in helping them understand the potential impact of business risks on the business’s financial standing. This means that if cyber threats pose a risk to the business, then the CFO needs to understand what this means and how it can impact the organization’s financial position.

CFOs have a big say in implementing enterprise risk management, which should include cyber risk; they control the implementation of the ERM strategy. The adoption of ERM requires financial and operational resources and a thorough assessment of the likelihood of success.

This chapter discusses the main priorities for a CEO to consider when talking about the CFO’s financial strategy and involvement in ERM. In this chapter, we’re going to cover the following topics:

  • Why the CFO should care about cybersecurity
  • The CFO’s understanding of cybersecurity
  • The aspects of cybersecurity the CFO should consider
  • Defining the CFO’s role in building cyber resilience
  • Communicating with the CFO about cyber risks
  • Questions to ask your CFO

The following section provides further details on specific areas where the CFO remains an indispensable stakeholder in cyber risk management.

Why the CFO should care about cybersecurity

As the senior executive and virtually the top-level financial controller responsible for managing the business’s economic actions and financial risks, the CFO should care about any risk that may impact the organization’s financial position, including cyber risk. They should play a crucial role in supporting an adequate cyber budget that enables building cyber resilience across the organization. If done right, the management of cyber risk can also aid in the growth of an organization as well. There is a compelling need for CFOs to have a more active role in critical business decisions beyond financial performance disclosure and to play an active role in cyber risk management is growing.

The role of the CFO in cybersecurity

There is a difference between a CFO who loves transactions, modeling, and details, and one who focuses on driving strategy and the story behind the numbers. The modern-day CFO does not just add up the numbers. They are meant to support the CEO, even when most CEOs are often more eager to take risks or find new business opportunities. The CEO is usually the one driving change, and they will want the CFO to be in their camp. The CFO is the person overseeing mergers and acquisitions and has the inspiration and motivation to take a business to the next step. They serve on the board of directors and participate in decision-making as a member of the senior executive team. As well, most organizations rank CFOs second to the CEO in any public involvement. Your CFO is your communicator.

For organizations that do not have a Chief Risk Officer (CRO), the CFO is often the one to take on that role as well. The CFO can play the role of the CRO in tackling ERM and making decisions about risk treatment, transfer, and mitigations. Therefore, in a digitally connected world with increasing levels of inherent cyber risk, the CFO is integral to building business cyber resilience.

Integrating cyber risk into ERM is gaining traction among firms; businesses are using it to detect and manage cyber risk. ERM takes a holistic approach to risk management rather than a siloed one. It necessitates the integration of various processes to quantify an organization’s exposure to uncertainties that may interfere with the business’s goals and development capabilities.

These days, cybersecurity is typically in the top five risks for a corporation. A key aspect of the CFO role is to help manage that risk. Viewing cyber risk through the lens of ERM equips the CFO to position the company to manage the strategy and plan for cybersecurity. This is a practical way to align cyber risk with how the company perceives risk in general and provides a familiar environment for the CFO to get educated about the dialog on cybersecurity in a business context.

Cyberattacks present a serious economic concern for companies and business stakeholders. While awareness is increasing around the topic, there is a risk this perspective may be misinterpreted throughout an organization if a Chief Information Security Officer (CISO) and a CFO do not communicate and discuss cyber risk effectively with every member of the organization. The lack of communication about the organization’s cyber resilience means the business may not be prepared to face cyberattacks effectively and resulting financial losses might be substantial. Those economic losses ultimately need to be quantified to support an informed decision-making process between mitigation and transfer.

Despite not being cybersecurity experts, CFOs are not in a position today to ignore the topic or continue writing it off as an IT problem. The CFO has the expertise and supervision to look at the impact of an attack on the business’s financial position in a much broader and long-term manner, going beyond the immediate concerns of data loss and operational disruption to reputational and regulatory losses, as well as the impact on share prices. At the same time, if done well, having a strong cyber posture can also aid the organization in its rapid growth as well. A company that is cyber resilient will only serve to strengthen the business and give employees the peace of mind to flourish and perform to scale.

In the next section, we explore further how a CFO’s cybersecurity understanding can support cyber resilience.

The CFO’s understanding of cybersecurity

Shamane Tan, chief growth officer at Sekuro and founder of Cyber Risk Meetup, a global community for prolific cybersecurity conversations and exchanges, and co-author of this book, commented on a discussion with the CFOs that she was involved in: “Even amongst the CFOs, they recall that the conversation about cybersecurity only started to come up a decade ago when the insurers asked corporate CFOs what the company was doing about cybersecurity.

When insurers began asking about cybersecurity over ten years ago, it was likely one of the first times CFOs would have heard about cybersecurity. It’s worth noting that these first conversations did not begin within an organization but were driven by those asking from outside the organization. Within an organization, it has not been a concern generally. Magda (co-author of this book) had a CFO mention to her that he trusted his security team and so wasn’t going to purchase cyber insurance.

With the increase in cyber risk and inevitability of cyberattacks, it is critical to understand that foolproof security does not exist. Within such a complex and interconnected environment, cybercriminals nowadays can find weaknesses within people, processes, and technology. A cyberattack can also happen through a supplier or vendor. It is just a matter of time.

A group of hackers known as “London Blue” targeted more than 50,000 finance executives, including 35,000 CFOs, with bogus requests to transfer money. The scams were estimated in an Agari report (https://www.agari.com/cyber-intelligence-research/whitepapers/london-blue-report.pdf) to have caused hundreds of thousands of dollars in damage. CFOs and the finance executives within an organization are not immune to being targeted and are not necessarily cyber-savvy to such scams. That must change.

In today’s world, insurers take cyber risks into consideration and provide cyber insurance to organizations as a risk transfer option. This requires risk profiling of a company. Cyber insurance helps CFOs to become cyber aware and requires a shift in their perception of cyber risk. This switch in mindset also correlates directly with both the frequency and the cost of cyberattacks. As a result, cybersecurity is now formed as part of the risk register.

Nevertheless, for CFOs, understanding cyber risks and cybersecurity as a whole can be a lengthy and frustrating process. Cybersecurity is complex, the solutions not always enough to mitigate risk, and confusing technical jargon are just a few of the reasons CFOs find it challenging. Your organization might have cybersecurity hardware and software to protect your business against cyberattacks. However, it only takes one weakness to incur financial losses.

People, processes, and technology are not immune to cyber threats. Specific to the finance team, phishing, social engineering, and Business Email Compromise (BEC) have been some of the most common cybercrimes. The FBI’s Internet Crime Complaint Center (ICCC) cybercrime report found BEC schemes to be the costliest of all cybercrimes, leading to losses of approximately $1.8 billion in 2020 alone.

A good example is an employee processing the payment of a fake vendor invoice, which can lead to the misdirection of tens of thousands or even hundreds of thousands of dollars. Those social engineering cyberattacks work by targeting humans and processes. This type of cybercrime has increased in recent years, and while some companies have addressed this cyber risk to prevent financial fraud/loss, others continue with their traditional approach and ignore critical cybersecurity pillars, people, and processes. “It can’t happen to us” remains the pervasive perspective.

Importantly, a CFO is not required to learn technical cybersecurity concepts. But they do need to consider cyber risks that might materialize from a weakness in people, processes, or technology. Understanding and communicating that foolproof security does not exist is among the first steps, along with increasing the budget to help address strategic initiatives. Further, it requires continuous support and the company’s readiness to respond when an attack happens.

It is also worth noting that when it comes to cyber insurance, not every single cyber event will be covered, which means that companies will not be able to transfer all of their risk through insurance. Take, for instance, a ransomware attack—insurance companies now deny insurance payouts for ransomware payments.

Yet ransomware attacks are only one cyber risk to a company. The following section outlines key aspects of cybersecurity that are helpful for CFOs to consider.

The aspects of cybersecurity the CFO should consider

Cybersecurity is a conversation that needs to be had at the boardroom level, as the impact of a cyberattack can have enormous consequences on customer trust, brand loyalty, and shareholder value. When the CISO starts the conversation, the CFO must be a supporter. Just as finance authority is delegated across an organization, so must cyber resilience. However, cyber risk is more complex than financial risk; one aspect of that complexity is that there are no monetary limits you can establish for who responds to a cyberattack. In other words, everyone needs to have a role and everyone owns a piece of the protection and recovery—and financial losses.

Cybersecurity goes beyond the effectiveness of the right technical controls, such as firewalls and authentication. For too many, a security event is commonly seen as the failure of technical controls, which is why the reported cost of a security breach is often considered as just the cost of the initial impact. Yet that’s only part of the financial picture, and often a small part. What is often forgotten is the aftermath of things such as regulatory fines, lawsuits, and loss of the business’s reputation.

Part of the modern-day CFO’s role is to quantify risks and inspire change by using numbers to tell the story of managing cyber risk. With a focus on data, data, data, undoubtedly the most valuable commodity for any organization, the CFO can ensure it is leveraged and analyzed to help make more efficient business decisions. Cybersecurity is one of those business decisions.

Investments in the right security are required to help protect this data. If a business survives an initial attack, the recovery time can be very long and costly. The CFO must consider data value and cost, including data breach costs, cyberattack costs, cybersecurity return on investment (ROI), prioritization of cyber initiatives, and proper vendor due diligence. The foundational mindset when it comes to cyber resilience should be prevention first. Baseline housekeeping includes running a tight IT function and maintaining patch currency, and basic cybersecurity hygiene can provide enormous benefits at a relatively low cost.

The good thing is that the CFO is not alone in this fight. CISO Rahul Khurana has reported to CIOs and CTOs in some of the organizations where he has worked. Now as the CISO for a global healthcare and defense technology company, he reports directly to the CFO. He shared his experience of being in this different reporting structure:

“Our discussions are very focused on the overall business risk. CFOs have a clear understanding of the business impact of a cyber breach (whether it’s financial, legal, reputation, and so on). It’s all about the impact on revenue. I also have an independent cyber budget; I don’t need to fight for a cyber share under a common enterprise IT budget. It’s easy to talk numbers and return on investment through cost avoidance.

“Every dollar invested in cybersecurity (people/process/technology) that eventuates in reduction of cyber incidents or an overall impact of an incident reflects a return on investment—from a monetary, risk reduction or improved maturity and capability. It makes a big difference to have direct access to the CEO and the board. They are open to innovative ideas and approach when we have a business focus mindset.” 

The CFO needs to collaborate with the CISO to navigate investments and costs (such as security controls) and the complexities of financial protection (including reputational loss and lawsuits). It is important for the CFO to clearly understand how to achieve those outcomes to make the right decisions and produce proper financial forecasting. Budgets and investments in cybersecurity increase each year as new threats and defense technologies are created.

CFOs have a unique opportunity to approve funding for security solutions that will help protect a business or supplement (not replace) those solutions with a financial instrument, such as insurance. They also have to avoid overspending on products that prevent the business’s growth in the name of security. The CFO needs to balance between overspending, which leads to a false sense of security, and under financing security initiatives, which can result in a higher risk across the broader infrastructure. CFOs must recognize cybersecurity as an investment to protect against financial losses rather than a burden or expense.

This is only achievable if the CFO understands and clarifies the financial impacts of a cyber event in dollars.

A CFO’s perspective

Wayne Andrews, CFO at the University of Sydney, revealed that his key consideration in planning and budgeting for cybersecurity is to first establish the organization’s risk tolerance: “It is infinitely costly and impossible to eliminate cyber risk entirely, (although CIOs would spend any amount in pursuit of that goal), so the question is how much risk can you tolerate and what it will cost to narrow your exposure to within the tolerable range.

The risk tolerance discussion focuses on establishing tolerance and understanding the spectrum of risk, making the expenditure level a mere consequence of the process.

Wayne finds it fanciful to attempt a cost-benefit analysis on cyber expenditure because the range of outcomes can be so broad and the consequences of an actual event so large. The absolute numbers are so asymmetrical and the probabilities are very subjective. It can only be done in a meaningful way by narrowing the range of acceptable outcomes and the cost of delivering them.

Wayne concluded, “This is important because if your starting point is to eliminate all risk, you are doomed to fail in that regard and spend much money in the pursuit of failure.

It is like having an insurance policy and never needing to cash it in. Companies spend a lot of money, but they might not really know the full extent of the cost at the end of the day had they opted out of insurance.

Is there a way to demonstrate the number of near misses or quantify what we have saved ourselves from? Perhaps another way to look at it is by benchmarking against your peer companies cyber resilience and deciding you will be less affected by cyberattacks because you have a more substantial cybersecurity capability.

For most businesses, the objective is to be sustainable and ensure the company has a future. That half a million dollars you spend on cybersecurity risk management becomes your return on the objective. Although it might not necessarily translate to, “I just saved my company $10 million,” efforts need to meet organizational requirements to thrive.

Addressing cyber risk from a complex financial view

Wayne also offers this view: “Can an organization balance some risks against a cyber insurance policy? There is no free lunch in this regard. What insurance can do for you is deliver the funds at short notice to remediate, including ransom payments; however, insurance will not restore your business and reputation, so it is a means of smoothing cash flow rather than eliminating risk. Indeed, you will find yourself uninsurable unless you have a credible cyber risk management program.

Regulatory compliance is one approach to building a credible cyber program. Some regulations with more comprehensive applications, such as the European General Data Protection Regulation (GDPR), might require a solid focus on potential data breaches. The GDPR has steered the topic of the regulatory necessity of data protection into every business conversation and a notification process that requires a quick turnaround. The fines are massive, and companies cannot afford to be hit by a penalty of millions of dollars.

Payment Card Industry Data Security Standard (PCI DSS) compliance (where applicable to a company) is also another useful scheme to translate security controls into actual monetary fines. PCI DSS is technical in nature and designed to protect financial information. It is in your CFO’s interest to comply with this, as enterprises will need to meet this standard to instill confidence in customers. How is your CFO currently collaborating with your CISO to oversee these compliance and cybersecurity requirements, spending, and potential losses?

We hope it is becoming clearer why the CFO’s role in cybersecurity is important. Next, we go into further detail about the relevance of the CFO’s role in building a resilient cyber-ready business.

Defining the CFO’s role in building cyber resilience

Cyber risks are now one of the most troublesome risks for CFOs. The CFO should be able to collaborate with the CISO and fully participate in a robust discussion about cyber risk with the board, the rest of the organization, and external stakeholders and position it as a business and commercial risk, mitigated through a variety of measures, not all of which are technological.

The CFO and the finance department are highly trusted and skilled when it comes to explaining the business reasons behind the financial limits and controls they put in place; thus, they should leverage this to promote cybersecurity. In the case of an attack, the CFO will, understandably, be one of the first to evaluate the possible harm and to lead, with the CEO, both internal and external actions and messages to essential stakeholders.

The CFO can improve an organization’s cyber capabilities—and help fulfill the board and senior management expectations—in crucial ways. We will explore these in the next sections.

Benchmarking cybersecurity budgets

The CFO may assist the CIO and CISO in determining the appropriate cybersecurity budget. Leading CFOs compare their company’s cybersecurity budget to their industry peers. Magda has received continuous requests for benchmarking data from CFOs. The benchmarking requests extended beyond cyber risk mitigation to cover cyber risk transfer. If a CFO sees that the industry average for cybersecurity budgets is 10 percent of the IT budget, and their firm allocates just 1 percent of the IT budget to cybersecurity, it is likely underinvesting.

Benchmarking is a great starting position for the CFO and helps them determine whether they are spending too much or if they are underspending. This will then help adjust the budget before allocation.

Defining cybersecurity spending

The CFO needs to collaborate with the CISO to define fund allocations and spending. An organization must assess whether funds are invested in the right initiatives. This assessment helps evaluate whether the business is spending the correct amount on the proper initiatives, given its cyber risk exposure. There have been situations where companies invested in costly tools while not having cybersecurity fundamentals in place, such as vulnerability management or two-factor authentication for administrative access. Even the best tools are ineffective without basic systems to support them.

“Defining spending” should be renamed “cyber spending allocation,” which talks about smart allocation and how the CFO can help spread and amortize expenditures across multiple budgets, and even allocate percentages of spending from other departments’ budgets to help with security. CFOs are in a unique position to do this because they have a holistic view of the budget. They are also able to evaluate risk and apply it to the allocation of cybersecurity resources as not every department’s needs will be equal.

Supporting cyber-risk quantification

The CFO’s dollars-and-cents attitude is handy for analyzing cyber risks using a quantitative rather than qualitative approach, ensuring that business and risk values are quantified equally. Traditionally, cybersecurity professionals have not quantified cyber risk, presenting it instead using qualitative methods. While helpful, this approach is limited when requiring objective spending assessments and prioritization. While risk management practitioners have used these models for other types of risk for years, they are only now being applied to cybersecurity. Once presented, if the board remains unsatisfied with traditional security reporting, it may look at aligned visibility with other risk types as part of ERM. This requires financial figures and adequate forecasts to support their strategic business decisions. The CFO should provide these insights and help quantify cyber risks in collaboration with the CISO.

Magda has collaborated with forensic accounting professionals who were able to deliver incredible insights by quantifying values based on cyber risk scenarios. For example, they were able to clearly calculate possible financial losses for all types of business interruptions, including profit loss, employees’ overtime, and third-party expenditures, among others. This demonstrates that the CEO and board members can only guarantee that resources are spent efficiently by measuring both the cyber risk and the organization’s risk appetite as the cost of protecting against cyberattacks rises.

Risk quantification is really important and is how the finance team can help the CISO here. If the CISO can identify risks, then the finance team can quantify financial impacts, which helps with prioritization. Risk underpins all decisions made in an organization, and one way to quickly address risk is by transference.

Purchasing cyber insurance

Traditionally, CFOs purchase corporate insurance in collaboration with insurance managers. As with any type of insurance purchased on behalf of the company, they also manage the evaluation and underwriting of cyber insurance and oversee auditing, inventory, testing, and compliance. Insurance is a contract in which an organization receives financial protection or compensation from an insurance firm guaranteed in a policy. Purchasing insurance is a supplement to risk management in terms of safeguarding your company.

As cyberattacks can lead to financial losses, cyber insurance might cover those financial losses, helping with cash flow and liquidity management. A detailed and intelligent risk management strategy considers mitigation and transfers of cyber risk. There is always a residual risk that might materialize, impacting the company’s financial posture. If that risk occurs, the insurance compensates for the damages.

Insurance is an uncommon but important risk tool in the cybersecurity world that helps quickly reduce risk; it does have a direct correlation to the costs incurred by the organization. The downsides of insurance are that it does not cover everything, and insurance companies are starting to reduce the scope of insurance payments. As with the purchase of any policy, strict scrutiny of what is and is not covered must be part of the due diligence process.

Having a solid cyber program to address security hygiene issues will help to reduce insurance premiums, which offers a better ROI than spending on premiums. However, there is still a blind spot for many organizations, one that is often not covered by cyber insurance, and that is third-party risks.

Assessing third-party risks

CFOs are often key players who defines the procurement process. Supply chain risks have increased tremendously, and thus supporting cyber risk assessment procedures undertaken on your vendors and suppliers before working with them should be a priority for the CFO. In some organizations, the CFO owns the third-party risk management function, while in others, this can be shared between the procurement team (finance), risk team (under the CRO), and also the security function (under the CISO).

Cybersecurity budgeting, spending, and risk quantification are all part of the CFO’s responsibilities in building cyber resiliency. Yet identifying and recognizing cyber risk is the role of everyone in the organization. It is, therefore, incumbent upon everyone to communicate those risks effectively. The following section provides tips for communication with your CFO.

Communicating with the CFO about cyber risks

Shamane explains, “Language is important. Traditionally, the CFO has always been familiar with ROI. However, it can be a challenge for many to quantify the return on investment in cybersecurity.

Often, cybersecurity is under the surface, not recognizable or acknowledged, but protecting the company from cyber threats. There could be all this activity going on, but the CFO may not see any positives from it, as they are not aware of how many incidents were avoided or how many near misses there were. The CFO sees it for what the tools cost the company, not what it has saved the company.

As many CFOs have shared with Shamane, “you can usually measure the cost to the organization after an attack, but if the company has not been compromised, how would one know what cost has been saved?

So how do others in an organization assess cybersecurity threats and needs? Measurements such as lead and lag indicators can be helpful in assessing this. Your lag indicators are your after-the-fact financial fines and the cost of responding to an incident that can be seen, for which we have available quantifiable measures.

Lead indicators, on the other hand, involve the use of loss-curve projections or Factor Analysis of Information Risk (FAIR), which falls within the “traditional” risk calculation of likelihood and impact. FAIR is a known quantitative model for information security and operational risk. FAIR offers a paradigm for understanding, assessing, and measuring cyber and operational risks in financial terms.

The good news is innovative quantification methods are emerging. One way to quantify cyber risk—developing a cyber-specific loss curve—can help companies develop a meaningful capital risk framework for cyber and answer those difficult questions, including ROI. Additionally, scenario building can be used to understand the consequences of cyberattacks and ensure accurate modeling for cyber risk quantification.

Moving from qualitative to quantitative frameworks for cyber risk is a journey in itself. However, quantitating the risk provides the ground for a better discussion with your CFO. It takes practice and a different perspective, but it’s considerably more successful in gaining comprehension and keeping your CFO’s attention on the topic.

Magda has long practiced cyber risk quantification and firmly believes it empowers security professionals to communicate efficiently with business stakeholders and align cybersecurity strategies with business goals. After all, assessment is only one element. It must be presented to the CFO. In doing so, avoiding technical cybersecurity language when discussing or giving advice to the CFO, who doesn’t have a background of cybersecurity expertise, is critical to guarantee they understand cyber risks and can take part in a discussion. Therefore, the facts must be delivered in a language they can comprehend for them to confidently understand the topic and especially the requests, if any. This is where cyber risk quantification is used. It aligns with the CFO’s language—financial losses.

Thus, when starting a discussion with your CFO, it is crucial to leverage familiar topics to find a middle ground. Cybersecurity is a complex topic for a CFO, as is financial planning for cybersecurity professionals. The goal is for the CEO and CISO to collaboratively consider various factors of the CFO’s recommendations to understand the actual financial implications of costs and losses if a security incident or data breach occurs.

Economic costs

Financial costs can be straightforward, and immediate, as penalties and fines. Then there are the notification costs, which can include necessary fees, charges, and expenses incurred to notify individuals, regulatory bodies, and other parties that require notification of a breach. Then there are cost-related activities as a result of replies to inquiries and other matters of clarification and legal consequences.

Data breach costs might include forensic investigations, with potential outcomes an apology in the form of compensation, a change in procedures, improvement of security safeguards, and/or payment of compensation for loss or damage suffered. In Japan, for example, apology money is paid to affected individuals. All these factors directly and indirectly increase the company’s financial losses following a data breach and should be assessed as part of the total data breach cost.

In the case of a successful cyberattack in general, a business might suffer significant impacts, such as disruption to core systems, corruption of databases, business paralysis, and so on. Traditionally, security incident impacts are classified as financial, reputational, and legal. However, if not quantified, it might lead to a lack of accurate cost visibility.

Additional economic costs include financial losses arising from direct and indirect costs and third-party costs. Besides the immediate disruption, employee overtime, communication costs, direct costs (recovery costs), and share value loss might also arise. There is also the potential loss of customers, loss of sales, and a reduction in profits in the medium timeframe. This might result in a drop in market share, valuation, or a delay in an initial public offering (IPO).

In the case of a successful cyberattack involving ransomware, the organization might face business interruption or operations paralysis, both of which have financial implications.

One of the goals of communicating with the CFO and appealing to them in language that they understand—financial losses—also serves to redirect the mindset they have when it comes to cybersecurity and resilience.

Mindset

There has been an intentional shift in recent years to focus the needs of cybersecurity on the return of value (ROV) or return on objective (ROO). Think about it from the perspective of a nation’s defense strategy. Billions are pumped into military strategies and advanced artillery warfare equipment in a bid to be prepared to fight a war and save as many lives as possible if it ever comes to it. We never hope for war, but we still prepare for it.

This section discusses a new perspective and an innovative approach to the assessment of cyber risk into the financial function. Traditional cybersecurity frameworks did not empower security professionals to lead business discussions and created various challenges for business stakeholders to recognize the value and necessity of cybersecurity. Quantifying plausible financial losses and discussing them in terms of cyber risk scenarios are key factors in facilitating collaboration between security, finance, and ERM. Fortunately, there are questions designed to draw out your CFO’s views and understanding of cyber risk and also challenge them on ways they should take a more active role in advocating for cybersecurity.

Questions to ask your CFO

These questions will help facilitate a healthy discussion with your CFO and explore ways they can work more effectively with other executives in addressing your organization’s cyber resilience gaps and uplift program.

  • Have you considered cyber risk as a part of ERM?
  • As a CFO who manages the financial risk within an organization, how can you become a champion of security in the boardroom?
  • How can you shift your starting point from eliminating all risks to narrowing the range of acceptable outcomes?
  • How do you understand the implementation of cybersecurity hygiene? Is it more than just firewalls and authentication?
  • How do you ensure cyber risk quantification and financial optimization?
  • Are you confident that cyber risk needs to be addressed with a balance between mitigation and transfer? Have you considered cash flow management and risk transfer through cyber insurance?
  • How are you working with the CISO and CIO/CTO to adhere to regulatory requirements such as GDPR and PCI-DSS requirements?
  • How much time are you spending with the CISO and CIO to do a business review of the cybersecurity environment?

Summary

In this chapter, we addressed that CFOs must recognize that the danger to cybersecurity is constant—attacks continually test the defenses of both big and small firms. CFOs must also consider the possibility they have been already compromised and are unaware of it. A perimeter of defense doesn’t exist anymore, with employees working remotely permanently or more often. This has a significant impact on business exposures and cyber risk.

CFOs and finance executives must consider cybersecurity risks and use it to reframe and reposition cybersecurity management as a strategic business risk. CFOs must assist in risk management by ensuring that an organization has appropriate resources allocated to all categories of risk management, including cyber risk.

Finance plays a critical role in risk assessment and governance throughout an organization. Cyber is one of these risks, but given the potential for monetary loss, it should be one that finance has a significant influence on.

In the next chapter, we will discuss the role of the Chief Risk Officer. This chapter will identify the biggest challenges and misconceptions currently faced when it comes to cyber risk and ERM.

Left arrow icon Right arrow icon

Key benefits

  • Enable business acceleration by preparing your organization against cyber risks
  • Discover tips and tricks to manage cyber risks in your organization and build a cyber resilient business
  • Unpack critical questions for the C-suite to ensure the firm is intentionally building cyber resilience

Description

With cyberattacks on the rise, it has become essential for C-suite executives and board members to step up and collectively recognize cyber risk as a top priority business risk. However, non-cyber executives find it challenging to understand their role in increasing the business’s cyber resilience due to its complex nature and the lack of a clear return on investment. This book demystifies the perception that cybersecurity is a technical problem, drawing parallels between the key responsibilities of the C-suite roles to line up with the mission of the Chief Information Security Officer (CISO). The book equips you with all you need to know about cyber risks to run the business effectively. Each chapter provides a holistic overview of the dynamic priorities of the C-suite (from the CFO to the CIO, COO, CRO, and so on), and unpacks how cybersecurity must be embedded in every business function. The book also contains self-assessment questions, which are a helpful tool in evaluating any major cybersecurity initiatives and/or investment required. With this book, you’ll have a deeper appreciation of the various ways all executives can contribute to the organization’s cyber program, in close collaboration with the CISO and the security team, and achieve a cyber-resilient, profitable, and sustainable business.

Who is this book for?

This book is for the C-suite and executives who are not necessarily working in cybersecurity. The guidebook will bridge the gaps between the CISO and the rest of the executives, helping CEOs, CFOs, CIOs, COOs, etc., to understand how they can work together with the CISO and their team to achieve organization-wide cyber resilience for business value preservation and growth.

What you will learn

  • Understand why cybersecurity should matter to the C-suite
  • Explore how different roles contribute to an organization's security
  • Discover how priorities of roles affect an executive's contribution to security
  • Understand financial losses and business impact caused by cyber risks
  • Come to grips with the role of the board of directors in cybersecurity programs
  • Leverage the recipes to build a strong cybersecurity culture
  • Discover tips on cyber risk quantification and cyber insurance
  • Define a common language that bridges the gap between business and cybersecurity

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Nov 04, 2022
Length: 232 pages
Edition : 1st
Language : English
ISBN-13 : 9781803246482
Category :
Concepts :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Nov 04, 2022
Length: 232 pages
Edition : 1st
Language : English
ISBN-13 : 9781803246482
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 145.97
Mastering Cyber Intelligence
$48.99
Building a Cyber Resilient Business
$54.99
Cybersecurity – Attack and Defense Strategies, 3rd edition
$41.99
Total $ 145.97 Stars icon

Table of Contents

13 Chapters
Chapter 1: The CEO Cyber Manual Chevron down icon Chevron up icon
Chapter 2: A Modern Cyber-Responsible CFO Chevron down icon Chevron up icon
Chapter 3: The Role of the CRO in Cyber Resilience Chevron down icon Chevron up icon
Chapter 4: Your CIO—Your Cyber Enabler Chevron down icon Chevron up icon
Chapter 5: Working with Your CISO Chevron down icon Chevron up icon
Chapter 6: The Role of the CHRO in Reducing Cyber Risk Chevron down icon Chevron up icon
Chapter 7: The COO and Their Critical Role in Cyber Resilience Chevron down icon Chevron up icon
Chapter 8: The CTO and Security by Design Chevron down icon Chevron up icon
Chapter 9: The CMO and CPO—Convergence Between Privacy and Security Chevron down icon Chevron up icon
Chapter 10: The World of the Board Chevron down icon Chevron up icon
Chapter 11: The Recipe for Building a Strong Security Culture—Bringing It All Together Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Full star icon 5
(5 Ratings)
5 star 100%
4 star 0%
3 star 0%
2 star 0%
1 star 0%
Susan Jul 07, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I didn't know much about the business side of Cybersecurity going into this book, but it gave me a better understanding of how to talk to executives about Cyber risks and how to get more for the security program.
Amazon Verified review Amazon
Dwayne Natwick May 24, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I recently had a look at Building a Cyber Resilient Business from Packt and written by Dr Magda Chelly, Shamane Tan, and Hai Tran. This is an excellent guide that aligns the responsibilities of cyber security and resilient to the various C-level roles within an organization. It goes beyond the typical frameworks and tools for a more practical understanding. There are even some roles within this book that you would not think about their responsibilities for cyber resilience. This book is easy to follow with practical guidance and helpful information throughout. A must have for people that are in a leadership position within a company.
Amazon Verified review Amazon
Prashant Feb 23, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I really like how the book touches upon various regional aspects; from different areas of focus to some of the shortcomings, and this is helpful to any level of reader – board, CEO, and the rest of the C-Suite.The chapter for boards is also an excellent read and simple to understand. I like that it provides key emphasis on how both the directors and management should be cyber aware, from their role in cybersecurity to helping board and non-cyber management understand cyber risk, to providing strategic direction in ensuring the organisation is cyber resilient.This is crucial especially in light of the release from the U.S. Securities and Exchange Commission (SEC) on their proposed new rules requiring U.S. public company boardroom disclosure of corporate directors with cybersecurity expertise, which happens to also align nicely with one of the topics highlighted in the book, “The CISO’s Seat at the Table”. Great work authors!
Amazon Verified review Amazon
Daniela R. Nov 17, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
How would you define and communicate cyber risk to the board in terms of business impacts? This book creates a roadmap for c-suite and board comms around cyber risk. The authors define the roles and collaborative responsibilities of c-suite actors in the context of defining communicating and managing cyber risks effectively to build resilience and sustainable policies, procedures, controls and training. Chapter 1 contextualises cyber risks as being not just the CISO’s job, but encourages CISOs and CEOs to regularly reflect on how broader economic, political, social and environmental trends are impacting the organisation’s strategy.The chapter on building a strong and positive security culture discusses shaping collaboration and understanding between developers, security teams, and operational teams by promoting security by design; secure coding practices and robustness of a secure software development lifecycle are fundamental to promoting a DevSecOps culture within the organisation. I’d love to read more about how the authors view the role of human risk management within this context. Some great recommendations given include avoiding ‘blame and shame’ comms. This is critical to building a positive and inclusive security culture and the authors explain how crucial the involvement of the CMO and CHRO are in promoting engagement and inclusion, especially in relation to privacy regulation and legislation, such as The GDPR.Dr Magda Chelly has spoken widely about inclusion and engagement, and I was really interested in what she says about interactive, gamification of security and awareness training, especially how role-play activities like phishing email writing can help staff identify red flags by playing the role of the attacker to enable empathy and proceduralisation of training objectives, rather than submitting staff to a one-size-fits-all security training package.The ’Questions to ask your CEO/CISO, COO….’ as well as ‘Questions to as yourself, as a CEO’ sections within each chapter are really useful tools to promote productive and empathetic communication around cyber resilience, and ones I will definitely be referring to.
Amazon Verified review Amazon
Anonymous Nov 08, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is an excellent book written for the executives and the board- who are accountable for their business' cyber resilience and hygiene. If there's a corporate team huddle of the CxOs on agreeing to doing their part in cyber scrutiny and handling cyber risks, this book is apt, concise and answers the Why, What, How, and also the what not to do! I wish the authors also included a self-evaluation questionnaire of the CxO role-specific cyber awareness and actionable insights in fortifying themselves so that their business is cyber resilient!
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.