Light Dark
April 8, 2015 By Christopher Burgess 2 min read
Banking & Finance
CISO
Data Protection
Fraud Protection
Incident Response

If there was ever a question as to the symbiotic nature of the relationships between the chief financial officer (CFO), chief information officer (CIO) and chief information security officer (CISO), the current data security calamities of 2015 have served to remove any doubts.

The IBM X-Force Interactive Security Incidents visualization of the 53 noteworthy incidents between Jan. 1 and March 30 highlights the cost of such incidents and how they can and do have a deleterious effect on a company’s bottom line. The visualization shows the magnitude of these incidents through the millions of dollars lost. While the information security responsibilities, including incident response, undoubtedly fall within the purview of the CIO and CISO, the company’s bottom line is the direct responsibility of the CFO and the rest of the C-suite.

The aphorism, “The Golden Rule: He who has the gold makes the rules,” applies to the CFO and the resources available to the CIO and CISO to maintain the necessary level of data security required to keep the company’s assets safe and secure. As such, control over the purse strings of the company ensures CFOs have a significant role in the company’s cybersecurity.

The CFO’s Data

The CFO’s office handles some of the company’s most sensitive data on a daily basis. The CFO, working in tandem with the CIO and CISO, must ensure the information is adequately protected as the company’s financial data traverses the company’s network. Similarly, the company’s sales pipeline must accept and process business if revenue generation is to be continued. Again, the CIO and CISO must ensure the availability and accessibility of the revenue portals. It stands to reason that the CFO’s office will also wish to ensure appropriate resources have been availed to the CIO and CISO to make sure that in the event of a data breach, the appropriate incident response has been created, either internally or via a third party.

If you need convincing that the CFO’s office is being directly targeted, refer to the FBI’s January 2015 alert to businesses concerning the sophisticated targeting of businesses via email scams that target the CFO and others in the C-suite. The criminals either spoof or hack the legitimate email of the CFO and request the transfer of company assets to a third party.

The CFO and the Board

The CFO is responsible for reporting to the board about the level of risk being monitored and managed, including the company’s exposure and compliance to its data security regime. The Financial Industry Regulatory Authority provides guidance on cybersecurity practices for the financial industry, which are also appropriate for most other industries. This guidance includes the following:

  • Defining a governance framework to support decision-making based on risk appetite;
  • Ensuring active senior management and board-level engagement with cybersecurity issues, when appropriate;
  • Identifying frameworks and standards to address cybersecurity;
  • Using metrics and thresholds to inform governance processes;
  • Dedicating resources to achieve the desired risk posture;
  • Performing cybersecurity risk assessments.

The roles of the CIO and CISO are obvious, yet all must use the available resources in an effective and timely manner within the constraints of the company’s risk appetite.

View the infographic: Insights from the 2014 CISO Assessment

 |  |  |  |  | 
Christopher Burgess
CEO at Prevendra

More from Banking & Finance
March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

January 26, 2024

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature