If there was ever a question as to the symbiotic nature of the relationships between the chief financial officer (CFO), chief information officer (CIO) and chief information security officer (CISO), the current data security calamities of 2015 have served to remove any doubts.

The IBM X-Force Interactive Security Incidents visualization of the 53 noteworthy incidents between Jan. 1 and March 30 highlights the cost of such incidents and how they can and do have a deleterious effect on a company’s bottom line. The visualization shows the magnitude of these incidents through the millions of dollars lost. While the information security responsibilities, including incident response, undoubtedly fall within the purview of the CIO and CISO, the company’s bottom line is the direct responsibility of the CFO and the rest of the C-suite.

The aphorism, “The Golden Rule: He who has the gold makes the rules,” applies to the CFO and the resources available to the CIO and CISO to maintain the necessary level of data security required to keep the company’s assets safe and secure. As such, control over the purse strings of the company ensures CFOs have a significant role in the company’s cybersecurity.

The CFO’s Data

The CFO’s office handles some of the company’s most sensitive data on a daily basis. The CFO, working in tandem with the CIO and CISO, must ensure the information is adequately protected as the company’s financial data traverses the company’s network. Similarly, the company’s sales pipeline must accept and process business if revenue generation is to be continued. Again, the CIO and CISO must ensure the availability and accessibility of the revenue portals. It stands to reason that the CFO’s office will also wish to ensure appropriate resources have been availed to the CIO and CISO to make sure that in the event of a data breach, the appropriate incident response has been created, either internally or via a third party.

If you need convincing that the CFO’s office is being directly targeted, refer to the FBI’s January 2015 alert to businesses concerning the sophisticated targeting of businesses via email scams that target the CFO and others in the C-suite. The criminals either spoof or hack the legitimate email of the CFO and request the transfer of company assets to a third party.

The CFO and the Board

The CFO is responsible for reporting to the board about the level of risk being monitored and managed, including the company’s exposure and compliance to its data security regime. The Financial Industry Regulatory Authority provides guidance on cybersecurity practices for the financial industry, which are also appropriate for most other industries. This guidance includes the following:

  • Defining a governance framework to support decision-making based on risk appetite;
  • Ensuring active senior management and board-level engagement with cybersecurity issues, when appropriate;
  • Identifying frameworks and standards to address cybersecurity;
  • Using metrics and thresholds to inform governance processes;
  • Dedicating resources to achieve the desired risk posture;
  • Performing cybersecurity risk assessments.

The roles of the CIO and CISO are obvious, yet all must use the available resources in an effective and timely manner within the constraints of the company’s risk appetite.

View the infographic: Insights from the 2014 CISO Assessment

More from Banking & Finance

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today