Securing the C-Suite, Part 2: The Role of CFOs, CMOs and CHROs

This is the second post in a three-part series. Be sure to read Part 1 for the full story.

An Overview

A 2013 IBM report titled “Exploring the Inner Circle: Insights From the Global C-Suite Study” found that the top-performing organizations all had one quality that set them apart from their peers: collaboration. Top leadership’s view is that “the ability to collaborate is the most important factor” and that “how the members of the C-suite collaborate is as significant as the extent to which they collaborate.”

So how closely are CXOs collaborating? “The Customer-Activated Enterprise” study in 2013 asked each CXO which two colleagues they worked most closely with. While the CIO’s connection to the CFO is strong, the CIO-CMO and CIO-CHRO connections are evidently thin.


Source: IBM Institute for Business Value

Fast-forward to 2016: Three years after that global study, the level of collaboration within the C-suite does not appear to have changed much. In light of the rising importance of cybersecurity engagement within the C-suite, this is a worrisome finding.

The 2016 “Securing the C-Suite” report found that “the CFO, CHRO and CMO feel the least engaged in cybersecurity threat management activities, yet are the stewards of data most coveted by cybercriminals.”

The bleak findings continued, with almost three-fourths of CHROs, CMOs and CFOs indicating “they do not believe the cybersecurity plans include them in a cross-functional approach.” When CXOs were asked about their level of engagement in cybersecurity preparations, CFOs reported the lowest level of engagement at 38 percent, followed next by CHROs at 41 percent and CMOs at 43 percent.

Chief Human Resource Officer (CHRO)

While organizations are increasing their adoption of information technology, the human side of the equation should remain a constant focus in the organization’s overall cyber risk management. The CHRO installment of the study recommended that the CHRO work closely with the CIO “to design a clear device management policy.”

Chief Marketing Officer (CMO)

The CMO installment found that “where the CMO and CIO work well together, the enterprise is 76 percent more likely to outperform in terms of revenues and profitability.”

The report also recommended the CMO to “work with the CIO to build a secure and scalable cognitive analytics capability within your organization.”

Chief Financial Officer (CFO)

A 2016 Harvey Nash cybersecurity survey found that 49 percent of cybersecurity professionals surveyed reported that CFOs had “major knowledge gaps” when it comes to cybersecurity. An article by Craig Calle put the CFO’s requirements thusly: “CFOs need to step up and recognize their fiduciary duty to treat data as one of their company’s most important assets and sponsor initiatives to protect and monetize them.”

Without close collaboration from the CIO and the CISO, this task would be nearly impossible. Cybersecurity requires a symbiotic relationship between the CFO and security leaders.

Recommendations for the C-Suite

CHROs

CHROs must engage with the CIO/CISO — not just to tackle the issues around employee-owned technology such as BYOD, but also to address the need for effective, constant security awareness and anti-social engineering efforts. Technology alone cannot solve the security issue; it requires a human touch.

The 2016 “Securing the C-Suite” report commented that “as the stewards of sensitive employee personal information, which is highly coveted by hackers, CHROs should be at the forefront of their organizations’ cybersecurity efforts.”

Recommendations targeted at the HR function include protecting employees’ personal information, enforcing cybersecurity training and establishing clear job roles for all hires.

CMOs

CMOs, as consumers of increasing quantities of information including big data and the dreamy business promises of data analytics, should keep the CIO/CISO in the loop. They are allies not just from a technological enablement perspective, but also for support.

While it may be tempting to retain old customer behavior data, the concept of toxic data is something to seriously discuss with your CISO/CIO. Bruce Schneier cautioned against the thought that “because the cost of saving all this data is so cheap, there’s no reason not to save as much as possible, and save it all forever.” He warned that “what all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous.”

CFOs

The CFO should work collaboratively with the CIO/CISO to “incorporate the security assessment into the enterprise risk plan as appropriate” and to “establish a security governance model and program to encourage enterprisewide collaboration.”

Be sure to check back next week for the final installment of this three-part series, “Securing the C-Suite, Part 3: All Eyes on the CEO.”

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.