Published on July 18th, 2022 📆 | 4230 Views ⚑
05 Critical Cybersecurity Questions CFOs Should Be Asking CISOs
Even in a shrinking economy, organizations are likely to maintain their level of cybersecurity spend. But that doesnât mean in the current economic climate of burgeoning costs and a possible recession they wonât take a magnifying glass to how they are spending the money budgeted to defend systems and data. Indeed, at many companies, cybersecurity spending isnât targeting the most significant dangers, according to experts â as evidenced by the large number of successful ransomware attacks and data breaches.
Without a comprehensive understanding of the security landscape and what the organization needs to do to protect itself, how can CFOs make the right decisions when it comes to investments in cybersecurity technology and other resources? They canât.
So, CFOs need to ensure they have a timely grasp of the security issues their organization faces. That requires turning to the most knowledgeable people in the organization: chief information security officers (CISOs) and other security leaders on the IT front lines.
Here are five questions CFOs should be asking their CISOs about the security of their companies.Â
1. How secure are we as an organization?
This is a tough question to answer but it needs to be asked, if for no other reason than to give the CFO a sense of the level of attacks against the enterprise and what the security team is doing to protect systems and data.
âThis is a question that is asked frequently of a CISO, and itâs one of the most difficult questions to answer appropriately,â said Michael Gordon, CFO at software company Mongo DB. The ideal CISO response should be, âWe have identified our crown jewels and secured them as best we can, given the resources available and the knowledge we have about the cybersecurity landscape as it is today,â Gordon said.
There are several tangible metrics organizations can use to gauge the level of security risk they face. One is to have a sense of how many attacks or attempted breaches the organization has experienced.
âMany non-IT, C-level executives donât know all the attacks their organization faces,â said Raj Patel, a partner and cybersecurity practice leader at consulting firm Plante Moran. âThey only know of the large ones and not the ones that were blocked and resolved quickly. If they have all the data, they might [better] understand cyber spend requests.â
2. What are the main security threats or risks in our industry?
This is somewhat of an extension of the previous question, but itâs particularly important for CFOs in industries that are prime attack targets. Many threats and risks are aimed at specific types of companies such as financial services firms and healthcare providers. In some cases, the actual attacks are designed for specific kinds of systems and data.
Knowing the latest trends concerning industry-specific attacks can help CFOs get a handle on what investments the organization needs to make to protect itself and mitigate risks.
âJust because it hasnât happened to your organization yet doesnât mean you are immune,â Patel said. âIt is just a matter of time.â Understanding whatâs going on in the industry can help the CFO assess their organizationâs preparedness.
3. How do we ensure that the cybersecurity team and the CISO are involved in business development?
Security has long been viewed by many as a hindrance to innovation and productivity, but it doesnât have to be that way. CISOs have a place at the C-suite table, and CFOs can work with them to help make security a strategic part of the business.
CFOs should ask CISOs what they can do to help security teams be successful and effective, Gordon said. âThis is important to make sure your CISO understands your view of this as a priority and critical to the success of the business.â
Savvy organizations are tackling cybersecurity and data protection issues by infusing cybersecurity efforts and awareness from every perspective and at every level. â Brian Wenzel, CFO, Synchrony
Security must play a significant role in a companyâs evolution, business operations, and product development, said Brian Wenzel, senior vice president and CFO at financial services firm Synchrony. âIt must be embedded in acquisitions, partnerships, and governance.â
Savvy organizations are tackling cybersecurity and data protection issues by infusing cybersecurity efforts and awareness from every perspective and at every level, Wenzel said. âThey are prioritizing data security in the C-suite to best manage and mitigate risks and threats,â he said.
Historically, security was viewed by many CFOs as a cost center, Wenzel said. âBut thatâs changing,â he says. âOrganizations must view security as a business development opportunity. CFOs should leverage the CISO and security efforts to grow, build, and expand the business.â
4. What are the risks and potential costs of not implementing a cyber control?
Measuring return on investment with cybersecurity spending can be tricky, because the potential return takes the form of something not happening, such as an attack.
Still, it makes sense for CFOs to ask security leaders about the likelihood of a given type of attack occurring, how much it could cost the organization, and how much it would cost to prevent this type of attack.
âIt might cost $1,000 to put in a device to monitor your network, but it could save you over $100,000 if you donât [have it] when an incident happens,â Patel says.
Costs can also take the form of lost business following an attack.Â
âCustomers and partners expect a great deal from any company working with personally identifiable information,â Wenzel says. He notes that recent research has shown that privacy and data protection failures are a main reason that customers will leave a brand.
5. Do employees understand information security and are they implementing security protocols successfully?
A good percentage of cybersecurity risk stems from insider threats. These are not necessarily malicious actions but are oftentimes the result of negligence or human error. Regardless, organizations need to ensure employees are well aware of security risks and the proper use of technology tools and services.
Workers need to be trained about what to look for so they can avoid becoming victims of phishing and other attacks, and CFOs should be asking what needs to be done to improve awareness and education.
âThatâs the source of significant information leakage from organizations today. Scammers try to use the human element to obtain access to information,â said Russ Porter, CFO at the Institute of Management Accountants, an association of accounting and finance professionals.
Training and awareness need to happen at every level of the organization, including the senior executives who can be the targets of specific attacks.
Gloss