Cybersecurity is no longer just an IT problem; it’s a cross-functional priority for the enterprise. As cyberattacks and cyber risk continue to swell, the cybersecurity consciousness among the C-suite is growing — and even CFOs are being called upon to help promote cybersecurity.
According to Sumukh Tendulkar, director of product marketing at IBM Security, today’s CFOs fall into two broad categories: Those that think of cybersecurity investments are a cost of doing business and those that realize that these efforts can be a differentiator for them.
The CFOs that fall in the second category are pushing boundaries and trying to quantify security efforts — which is very difficult, Sumukh added.
“They are trying to figure out whether they are doing the right thing, investing in the right spot and how they compare with other industries,” Sumukh said. “These are the people bringing in the red team to make sure that they are not going to wait for an attacker to hit them.”
Ten years ago, the CFO role was mostly about how to manage financial risks, but there is a new type of risk that organizations face today, said Brian Cohen, CFO at BitSight Technologies and a co-panelist at the recent MIT Sloan CFO Summit.
“If you look at the impact from missing your earnings vs. the impact of a cybersecurity breach, the amount probably is on par as far as the damage it may do to your market cap,” Cohen said.
Understanding an organization’s risk profile should therefore be a preliminary step for any business, Cohen advised. Investing in cybersecurity should be a priority for CFOs, but they must be wary of vendors who want to sell solutions that they claim to be fool proof, he added.
“There is nothing that is going to make you totally secure. Ultimately, the most important thing is be open with yourself, be honest with yourself and make sure you are having the conversations that are appropriate,” Cohen said.
Phong Le, CFO at MicroStrategy and a co-panelist during a presentation at the MIT Sloan CFO summit, advised CFOs to hire a chief information security officer to get their opinion on cybersecurity investments and then decide where they want to go from there.
But figuring out what’s the right amount that CFOs should be spending on those cybersecurity investments is tricky, experts agreed.
“I think we are all trying to figure it out. [It is important to] have a professional who is responsible for this and if you start spending 5% to 10% of what you spend in IT in this area, it is not necessarily a bad thing,” Le said.
But it is equally important to look at what organizations are gaining in return from their cybersecurity investments, Le said: “Are you seeing fewer incidents, fewer phishing attacks, and are you seeing more education of folks?”
An organization’s security profile changes every single day, so a cybersecurity budget is not something to be reviewed just once a quarter, Cohen said. CFOs should always think about how they are assessing risks, and whether the tools and solutions they are employing are actually effective, he said.
“It is up to us as managers to figure out ‘what solutions do we need, within reason, to provide the protection?’ It’s trying to do the best you can to understand what are the issues, how you are going to rectify and manage them, and constant evaluation and constant management,” Cohen said.