Cybersecurity is top of mind for nearly every business. What often gets overlooked is that taking action is not what's actually important when it comes to it. Every company hit with a data breach or large-scale attack likely had some security in place. Rather, the important thing is taking cohesive action.
Two publications that lead their respective industries, Harvard Business Review and Ad Age, recently posted similar articles calling out CFOs for being lax about cybersecurity. Specifically, these articles highlight the division between IT teams and executives.
Surveys show that 40% of IT professionals don't believe the C-suite takes cybersecurity seriously enough. Tech experts estimate the average data breach costs about $27m. Executives, in stark contrast, estimate the damage around $6m.
This issue is particularly pertinent to CFOs because managing financial risk is their core responsibility. As a CFO in my previous role, I fully grasp how underestimating that risk by a factor of five can have detrimental effects – but I also recognize the opportunity that CFOs have to modify their prospective and better serve their company, customers, and investors.
Today's CFOs must practice caution and look at the bigger picture
CFOs traditionally have two primary responsibilities. The first is focused on delivering robust ROI and sustained shareholder value. The second is prioritizing corporate governance and risk management. Each is an important responsibility, but that balance is shifting from the former to the latter.
Given the current cybersecurity landscape filled with highly motivated hackers and highly sophisticated attacks, companies stand to lose more from a cyberattack than they stand to gain from cutting costs. A CFO may be able to push the needle in a positive direction, but by doing so, they may jeopardize cybersecurity. Then, when an attack is successful, minor gains are wiped out by major losses.
Those losses are likely to increase as data security becomes a regulatory priority. The GDPR rules now in effect in the European Union are on everyone's mind, but the Securities and Exchange Commission and the Federal Communications Commission have both hinted that tougher regulations are forthcoming. The US is also becoming an active player in regulating data protection, exemplified recently by the $148m fine of Uber. What that means for companies is larger fines, deeper losses, and more embarrassment.
CFOs offer leadership and oversight, but they must also provide focus and define priorities. For CFOs with an eye on stability and sustainability, that means making cybersecurity the top concern.
Become a proactive advocate for cybersecurity
CFOs are often in the C-suite because of their experience and accomplishments. But that raises the question of why seasoned executives are underestimating the true cost of cybersecurity – to the tune of up to $26 m-plus in fines. Typically, it's because they acknowledge some, but not all, costs and have yet to realize how cybersecurity can be an investment in customer retention and value.
With headlines saturated with cyberattacks, customers are more aware than ever that companies need to do more to protect their data. With the right security policies and solutions in place, you'll inspire more confidence in your brand among customers, and they'll be more understanding if an inevitable data breach occurs. But what are the right policies and solutions?
This is where alignment with CIOs and CISOs is so critical — not just in evaluating the true cost of cybersecurity, but also in ensuring that IT and security budgets are allocated to have the greatest impact on data protection and business priorities.
The personal passions of a CIO or CISO to implement a complex IT project that has a long timeline and lacks a defined business case does not make sense amongst increasingly sophisticated attacks. Instead, CFOs should work alongside CIOs and CISOs in order to define comprehensive cybersecurity strategies that fit their organizations and to build on important security fundamentals.
Investing in enterprise cybersecurity
No company can afford to invest in every available protection against every possible risk. The smarter and more fiscally responsible approach for CFOs is to focus on critical protections that integrate and safeguard against broad categories of risk, such as:
Prioritizing training and education: Employees play a contributing role in most cyberattacks, but they are also a strong measure to have in the cybersecurity arsenal. Comprehensive training and education empower users to avoid threats and minimize risks.
Creating a culture of security: Cybersecurity comes from a relentless commitment. Companies with cultures of cybersecurity in place are better positioned to recognize risks and respect threats.
Keeping informed about regulations: The ever-evolving regulatory landscape is creating new obligations and new penalties around cybersecurity. Companies that do not keep abreast of these changes will never fully understand their risk exposure.
Adopting the customer's perspective: Sensitive data is more important to the people attached to it than to the companies that own it. Assessing the situation from the customer's viewpoint helps companies put adequately aggressive protections in place.
Reevaluating risks regularly: Companies may be safe one day and in peril the next as threats evolve and expand quickly. Reevaluating this risk regularly is the only way to know how vulnerable a company is and how costly an attack could be.CFOs have an important role to play in cybersecurity, but they don't have to act alone. CIOs and CISOs are obvious allies, but cybersecurity and risk management must be priorities throughout the C-suite. When others are unconvinced about the necessity of their involvement, tie the risk of cybersecurity directly to the bottom line. When the financial future of the company is at stake, anyone and everyone can get onboard.