If there was ever a question as to the symbiotic nature of the relationships between the chief financial officer (CFO), chief information officer (CIO) and chief information security officer (CISO), the current data security calamities of 2015 have served to remove any doubts.
The IBM X-Force Interactive Security Incidents visualization of the 53 noteworthy incidents between Jan. 1 and March 30 highlights the cost of such incidents and how they can and do have a deleterious effect on a company’s bottom line. The visualization shows the magnitude of these incidents through the millions of dollars lost. While the information security responsibilities, including incident response, undoubtedly fall within the purview of the CIO and CISO, the company’s bottom line is the direct responsibility of the CFO and the rest of the C-suite.
The aphorism, “The Golden Rule: He who has the gold makes the rules,” applies to the CFO and the resources available to the CIO and CISO to maintain the necessary level of data security required to keep the company’s assets safe and secure. As such, control over the purse strings of the company ensures CFOs have a significant role in the company’s cybersecurity.
The CFO’s Data
The CFO’s office handles some of the company’s most sensitive data on a daily basis. The CFO, working in tandem with the CIO and CISO, must ensure the information is adequately protected as the company’s financial data traverses the company’s network. Similarly, the company’s sales pipeline must accept and process business if revenue generation is to be continued. Again, the CIO and CISO must ensure the availability and accessibility of the revenue portals. It stands to reason that the CFO’s office will also wish to ensure appropriate resources have been availed to the CIO and CISO to make sure that in the event of a data breach, the appropriate incident response has been created, either internally or via a third party.
If you need convincing that the CFO’s office is being directly targeted, refer to the FBI’s January 2015 alert to businesses concerning the sophisticated targeting of businesses via email scams that target the CFO and others in the C-suite. The criminals either spoof or hack the legitimate email of the CFO and request the transfer of company assets to a third party.
The CFO and the Board
The CFO is responsible for reporting to the board about the level of risk being monitored and managed, including the company’s exposure and compliance to its data security regime. The Financial Industry Regulatory Authority provides guidance on cybersecurity practices for the financial industry, which are also appropriate for most other industries. This guidance includes the following:
- Defining a governance framework to support decision-making based on risk appetite;
- Ensuring active senior management and board-level engagement with cybersecurity issues, when appropriate;
- Identifying frameworks and standards to address cybersecurity;
- Using metrics and thresholds to inform governance processes;
- Dedicating resources to achieve the desired risk posture;
- Performing cybersecurity risk assessments.
The roles of the CIO and CISO are obvious, yet all must use the available resources in an effective and timely manner within the constraints of the company’s risk appetite.