Data Security Requires a Symbiotic Relationship Between the CFO, CIO and CISO

If there was ever a question as to the symbiotic nature of the relationships between the chief financial officer (CFO), chief information officer (CIO) and chief information security officer (CISO), the current data security calamities of 2015 have served to remove any doubts.

The IBM X-Force Interactive Security Incidents visualization of the 53 noteworthy incidents between Jan. 1 and March 30 highlights the cost of such incidents and how they can and do have a deleterious effect on a company’s bottom line. The visualization shows the magnitude of these incidents through the millions of dollars lost. While the information security responsibilities, including incident response, undoubtedly fall within the purview of the CIO and CISO, the company’s bottom line is the direct responsibility of the CFO and the rest of the C-suite.

The aphorism, “The Golden Rule: He who has the gold makes the rules,” applies to the CFO and the resources available to the CIO and CISO to maintain the necessary level of data security required to keep the company’s assets safe and secure. As such, control over the purse strings of the company ensures CFOs have a significant role in the company’s cybersecurity.

The CFO’s Data

The CFO’s office handles some of the company’s most sensitive data on a daily basis. The CFO, working in tandem with the CIO and CISO, must ensure the information is adequately protected as the company’s financial data traverses the company’s network. Similarly, the company’s sales pipeline must accept and process business if revenue generation is to be continued. Again, the CIO and CISO must ensure the availability and accessibility of the revenue portals. It stands to reason that the CFO’s office will also wish to ensure appropriate resources have been availed to the CIO and CISO to make sure that in the event of a data breach, the appropriate incident response has been created, either internally or via a third party.

If you need convincing that the CFO’s office is being directly targeted, refer to the FBI’s January 2015 alert to businesses concerning the sophisticated targeting of businesses via email scams that target the CFO and others in the C-suite. The criminals either spoof or hack the legitimate email of the CFO and request the transfer of company assets to a third party.

The CFO and the Board

The CFO is responsible for reporting to the board about the level of risk being monitored and managed, including the company’s exposure and compliance to its data security regime. The Financial Industry Regulatory Authority provides guidance on cybersecurity practices for the financial industry, which are also appropriate for most other industries. This guidance includes the following:

  • Defining a governance framework to support decision-making based on risk appetite;
  • Ensuring active senior management and board-level engagement with cybersecurity issues, when appropriate;
  • Identifying frameworks and standards to address cybersecurity;
  • Using metrics and thresholds to inform governance processes;
  • Dedicating resources to achieve the desired risk posture;
  • Performing cybersecurity risk assessments.

The roles of the CIO and CISO are obvious, yet all must use the available resources in an effective and timely manner within the constraints of the company’s risk appetite.

View the infographic: Insights from the 2014 CISO Assessment

Share this Article:
Christopher Burgess

CEO at Prevendra

Christopher Burgess is the CEO of Prevendra, a security, privacy and intelligence company. He is also an author, speaker and advocate for effective security strategies, be they for your company, home or family. Christopher co-authored "Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century" (Syngress, March 2008) and authored the e-book, "Senior Online Safety" (Prevendra, March 2014) and is the voice behind the website, "Senior Online Safety." Prior to the founding of Prevendra, Christopher held a variety of private and public sector positions, which included, chief operating office and chief security officer of a big data analytic company, Atigeo; Senior Security Advisor to the CSO of Cisco, a Fortune 100, and 30+ years within the Central Intelligence Agency. The CIA awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher resides in Woodinville, WA with his family, two dogs and two horses.