Cyberattacks can negatively impact an organization's entire ecosystem — from disrupting day-to-day operations to endangering customer privacy — all of which can contribute to weakened brand reputation and lost revenues. According to a 2021 FBI Internet Crime Report, cybercrime cost U.S. businesses $6.9 billion in one year alone. Today, cyberattacks represent a $1 trillion drag on the global economy, yet research shows the majority of organizations lack plans to both prevent and respond to a cyber incident.
Considering the high likelihood of a cyberattack impacting a particular organization, including the associated financial impacts of that cyberattack, it’s essential the chief financial officer (CFO) and the chief information security officer (CISO) closely collaborate to assess and communicate risk so they can put the necessary safeguards in place to protect the wellbeing of the business.
Risk is typically defined as the probability of an unfortunate event happening, multiplied by any potential impact. Establishing a security framework, including policies, procedures and processes that all parties (internal and external) should follow to reduce risk levels and vulnerabilities is a best practice to help organizations improve their security posture.
Before developing a framework, however, it’s critical to conduct a risk assessment to gain a better understanding of the strengths and weaknesses of an organization’s entire threat environment and the potential impact on their business objectives and finances. This is where a strong partnership between the CFO and CISO can be invaluable. The results of the threat assessment will assist security teams and relevant stakeholders (i.e., the C-suite and the broader finance team) make informed choices about the best security measures to help mitigate potential risks and how to fund those decisions.
CFOs and CISOs must hold one another accountable to appropriate reporting when a breach occurs. For instance, a popular ride-sharing service was in the media hot seat in 2022 when it was reported the company’s CFO and CISO were both aware of a cyber breach, but the CISO (the accountable party) failed to report it for fear the news could damage the brand. The ride sharing company’s CISO was imprisoned for negligence — a great illustration of the necessity for the CFO and CISO to work together to quantify and report risk.
How CFO’s can influence cybersecurity decisions
According to the Geneva Association, 90% of cyber risks remain uninsured. As with any risk, insurance is beneficial in mitigating worst case scenarios resulting from a cyber threat, and CISOs are integral in determining the appropriate level of cyber insurance that is required for a company. Companies that neglect to appropriately assess their risks don’t know how much cyber insurance they need. According to Swiss Re, the lack of standardized data combined with the high degree of uncertainty around expected losses often make cyber risks difficult to quantify. But the effort is worth it. Quantifying risk allows the CFO to help their CISO partner make an informed case for investing in the proper amount of cyber insurance and help to prevent over or under protecting the company.
By leveraging corporate performance management (CPM) software, CFOs can gather an accurate reading of how estimated costs fit into the budget, or whether they might present an additional strain on projected forecasts. Through what-if scenario planning, CFOs can make strategic recommendations on new budget items that could have a positive impact in the long run but a more near-term drag on cash flow, including cyber security technologies or insurance.
Considering a data breach could result in a catastrophic financial loss, CFOs want and need to be aligned with the CISO on how a company is protecting its assets, including customer data. Once assets are assessed, a CISO can assign a risk quotient and, with the CFO, estimate the potential financial impact. The CISO and the CFO can then jointly present the risks, and what those risks could cost a company, in a way that is meaningful to the board.
Strengthening the CISO-CFO relationship for future success
Cyber risk is a real concern today and to best protect the organization, CISOs and CFOs need to communicate on a regular basis to stay abreast of new potential risks and how they’re being addressed. This includes discussions on the level of residual risk and any adjustments that might need to be made to current security frameworks. If these conversations aren’t happening, both leaders are putting their organization at greater risk.
By working together, CISOs and CFOs can define risk objectives and ensure a company is fully committed from top down in making cybersecurity a top priority. Together, they’re a company’s own dynamic duo in fighting cybercriminals and protecting the business and its customers.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.