A CFO has a vital role to play in developing and executing on cybersecurity strategy at a business level, something which unfortunately goes overlooked by all sides in this equation. Chief Financial Officers themselves have historically seen network security solutions as a backup or reactive defense too often, and these discussions are generally passed over them to be delegated strictly to CSOs/CISOs. However, the responsibilities of accounting team leaders naturally align with the requirements of modern information security and expanding their involvement will inevitably strengthen your business’s defenses.
Here is a breakdown of the role a CFO must play in a modern cybersecurity strategy:
CFOs & Cybersecurity – By the Numbers
In a survey by risk management firm Kroll, finance leaders from companies around the world were asked to rate their confidence in their organization’s security protections compared against past attacks and damages. The results indicated a worrying dichotomy:
- 87% of CFOs were very or extremely confident in their organization’s security detection & response
- 79% had experienced at least one major cyber incident with losses in the previous 18 months
- 61% had experienced 3 major cyber incidents within the previous 18 months
The responses from those surveyed in North America were at least a little more realistic, with 55% extremely confident in their detection and response capabilities while 59% had seen 3 major security incidents in 18 months. Other data points to note include the lack of communication between IT and accounting teams, with only a fraction saying they had regular briefings.
These results reflect the impact of a lack of visibility and collaboration between information and financial roles, but with at least some reinforcement of the opposite trend as seen with the North American results. Cybersecurity needs to be an organizational focus to be effective, and adopting this approach should start with quantifying risk and managing controls. With this in mind, the following points illustrate how the CFO role fits into security policymaking, and where they can best serve in building and acting on strategy:
Modern accounting departments handle a lot of data – even a small team with just a QuickBooks subscription will be generating and sorting many files. This makes financial executives stewards of quite a bit of mission-critical information, e.g., transactional, account and personal details that need to be safeguarded. Because of this, CFOs also have first access to a level of visibility into the organization other business units generally lack, knowing the overall health of the company as well as where its most valuable tangible assets lie.
Cyber defense needs the type of insight the accounting department has over their data, but more importantly, it also requires that those handling this type of information know how to protect it. Your organization’s CFO must have a dual focus on keeping users on top of the latter while coordinating with other C-level officers to quantify risk and securing sensitive information.
If you are reading this, then you are already interacting with a SaaS solution connected to your desktop or mobile device through an external Internet pathway with some level of security controls in place. Similarly, accounting software – and all of its subsets and add-ons (AP, payroll, budgeting, etc.) – are increasingly moving to the cloud, which brings its own cybersecurity obligations. Perhaps the biggest factor to consider is that no application or piece of hardware stands on its own in a modern-day technology stack, and two-way connections bridge all of your IT assets together eventually, sometimes whether you mean them to or not.
CFOs have to be mindful that every tool their team uses is going to brush up against other parts of their infrastructure, as well as any personal devices employees may use to access company data and networks. There needs to be equal parts risk quantification of solutions, user education and coordination with IT security resources to ensure data is safeguarded against exposure.
Cybersecurity only adds onto pre-existing compliance workloads for accounting teams that are already keeping up with regulations for financial reporting, taxes, etc. The other side of this coin, of course, is that this makes CFOs best equipped to lead the way on refining data privacy controls and help the organization generate the level of visibility they need to fulfill emerging regulatory obligations.
There is growing momentum across the US to create more comprehensive cybersecurity laws, but financial agencies have taken an especially stringent stance on the extent of their enforcement. From the SEC down to regional bodies like the NYDFS, regulators are expanding upon precedent to build more direct obligations for reporting breaches and the costs they incur.
Implementing a cybersecurity strategy is an investment, so by definition it requires the CFO’s input on where the money goes and what the value return is. However, historically this is an area where the disconnect between IT and other executive leaders often comes to a head, as the full cost of a cyber incident can be harder to fully quantify against the expenses any comprehensive security solution can generate.
Your organization will need to get a better sense of potential damage that can be done if data somehow exposed or if a cybercriminal was to commit a direct theft scenario, such as wire fraud. This can be achieved through exercises that include inventorying the value of data (as well as losing any customer its tied to), calculating noncompliance fines and lawsuits, and quantifying the risk of any of these occurrences happening (and all happening at once). This will help determine how much of a hit your business could afford to take from all the costs involved – from immediate monetary damages to reputational loss – compared to how much you would need to spend on cybersecurity.
There are quite a few choices when looking into where to invest in for cybersecurity, but many are increasingly required for compliance in several industries, and often the rest are still becoming ever more useful to shore up existing gaps. Where CFOs can be most helpful here is – to reiterate the first point brought up in this article – in adopting a proactive stance on security needs and evaluating possible solutions based on this approach. An investment in network security must be treated as other mission-critical technology stack investments in the digital age, where the ROI is keeping your business profitable and competitive.
SWK Will Help Guide Your CFO on Cybersecurity Strategy
SWK Technologies knows both the security and technology needs of finance leaders as a managed service provider (MSP) and accounting software reseller, and we can leverage this knowledge to help your CFO better contribute value to your cybersecurity strategy. Reach out to our experts today and discover what your finance team needs to able to ensure your business is protected.
Contact SWK today to learn more about what your CFO and accounting team can do to reinforce your cybersecurity strategy.
Learn more about CFO cybersecurity