Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

DOES YOUR CFO SPEAK THE LANGUAGE OF CYBER RISK?

David Higgins, Director of Customer Development EMEA, CyberArk

In the traditional realms of cybersecurity, ‘security’ and ‘risk’ are always the predominant topics of conversation. But for FDs and CFOs it’s even more reductive than that – everything boils down to one factor: risk. It’s their job to be aware of the financial repercussions of every single risk an organisation takes and their approach to cybersecurity is no different. They want models which specifically demonstrate their exposure to risk in cyberspace, both from internal and external threats.

Ignorance isn’t bliss

We constantly hear that cybersecurity should be a boardroom topic – and in most cases it is. But it’s largely a futile exercise at the moment. CISOs go into the last five minutes of a board meeting to outline their most recent cybersecurity initiatives, but no-one listens. Why? Because the board doesn’t speak the same technical language. CFOs need things explained in a way which easily translates into their risk modelling frameworks.

This leaves us at a bit of an impasse. Cybersecurity teams, constantly focused on defending their organisation in cyberspace, become isolated from the wider organisation and the implications their initiatives may have on their colleagues, particularly from a financial perspective. They also become detached from the activity of accounts with privileged access – such as CFOs – and miss potential indicators of a security vulnerability, an impending data breach or an inside threat, such as a disgruntled employee.

Likewise, without adequate explanation as to why certain security protocols are in place, the finance function can become quickly become frustrated at measures which appear to hinder their job function and choose to ignore them, potentially exposing them even further to the risk of a catastrophic data breach.

Creating a dialogue

Organisations should therefore seek to create a reciprocal dialogue between these core business units, so they understand the implication of security policies on critical business accounts and transactions, and vice versa. This comes from encouraging cybersecurity teams to avoid technical jargon and speak to the finance function in a language they understand, so their messages resonate more clearly. CFOs and FDs in particular have the best view of the entire threat landscape of their organisation, so must train their security leadership team to converse with them in the way they want to provide effective defence against cyber threats. Doing so will help both business units identify and nullify potential threats to the business – both internal and external – early, helping ringfence security at the heart of the enterprise and prevent a costly cyber attack.

Taking a security-first approach to the enterprise

But that’s not enough. It’s also about educating your workforce to about the implications of a constantly-changing digital environment. Almost every company out there has heard the ubiquitous calls for a ‘change of attitude’ to cybersecurity by now, but how can their employees put this new attitude into action without practical guidance?

Aside from cybersecurity awareness training, which should be a requirement for every employee within the organisation, finance teams must firstly be trained to report potential vulnerabilities and attacks as soon as possible, and secondly consider the implications of their actions from a cybersecurity perspective; at every turn they should think how their actions may increase the business’ exposure to attack. This may require involving the CISO in strategy or business development meetings for example, as well as board meetings, so they are aware of recent initiatives and can express their security concerns from a business viewpoint.

Establishing exposure to risk

Up to now the process of allocating budget to cybersecurity has not been an exact science, and this has created confusion regarding ownership of the function within business. Many businesses operate without measuring their exposure to risk – meaning they don’t know how much it would cost them if a successful cyber attack took place. Given how critical it now is to the financial viability of a business, CFOs and FDs should take the lead and demand a demonstrable measure of their organisation’s risk exposure in cyberspace. Not only will this help them secure insurance policies which leave them fully covered in the event of an attack, but it will also to allow them to align the correct amount of budget to cybersecurity spend.

Cybersecurity can no longer be considered as simply a technological risk – it is now a business-critical risk. According to IBM’s latest cost of data breach study, the average cost of a data breach globally is $3.62 million – and the size of these breaches is increasing.[1] A reactive approach simply isn’t sufficient to prevent costly and irrevocable damage to an organisation, and it’s widely accepted that the senior finance team should take a leading role in helping their organisation implement a robust, pragmatic, and proactive strategy to deal with cyber threats.

This process will only work if the two critical business functions work together to create a reciprocal dialogue which is understood by both parties, formulate easily navigated frameworks, and educate the entire organisation to the scale of its threat landscape. While no protection against cyber attacks is foolproof – they are becoming more sophisticated every day – these steps are critical to effectively mitigate risk and defend against cyber threats. After all, as Ginni Romety, the CEO of IBM, said: “Cyber crime is the greatest threat to every company in the world”. So it’s worth listening.