By Ken MacAskill, CFO, Snyk
The role of the CFO has changed significantly in our lightning-speed, digitally-transformed world. While the main responsibilities were once internally focused—balancing books and checking overhead costs—now many CFOs are finding their seats at the cybersecurity table. This focus on cybersecurity is incredibly important as it impacts on the productivity and viability of the business: two key domains of the CFO.
Every business today is a digital one. Financial performance is densely woven into a digital ecosystem powered by the internet and the cloud. With such rich and sensitive data living in the cloud, millions of dollars are spent to protect this data. This gives the CFO increased interest in risk mitigation and achieving maximum productivity so the business runs smoothly without incident. Let’s take a look at these two factors.
CFOs aim to mitigate the risks of doing business. Their main goal is to protect the bottom line and ensure the viability of the business. Both are at stake if there is a cybersecurity attack. A recent survey found the average ransomware attack costs an organization $1.1 million and that further attacks and extortion attempts are a very likely consequence of paying the ransom.
Cybersecurity attacks are growing in sophistication and the financial impact can be devastating. Look at the recent Log4j attacks for example. We’re still evaluating the financial impact, but remember, it cost Equifax $700 million after a 2017 data breach that affected 147 million people. The FTC published a blog post reminding companies that they have a legal “duty to take reasonable steps to mitigate known software vulnerabilities.” They said there would be penalties for “companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” So, not only is the CFO looking at the cost of a security incident, but the cost of compliance if an organization does not take proper measures to reduce risk.
The CFO must be concerned with the financial implications of the attack itself, but also the legal costs and reputation damages. Consumers’ concerns about the security of their personal data following a breach have severely damaged many businesses and not all have been able to make their way back.
In the occurrence of a data breach, the CFO will look at the impact of the intellectual property stolen. But the real financial loss is the downtime of critical systems and lack of productivity during the outage. This where obvious technological holes and the organization’s full risk management framework come to light. What tools did the organization invest in, what internal processes are in place, and how quickly can resolve this situation before the business experiences further loss? This is where the CFO needs to evaluate people, processes, and tools.
As an industry, we’re currently experiencing a shortage in security professionals, putting organizations at great risk. Adding cybersecurity to the developer phase is an important opportunity to reduce risk, save on investment in security tools, and improve processes among internal IT teams.
Historically, developers created applications then turned it over to security teams for checking and approval, who would then either send the code back for alterations or onwards to the operations team for deployment. That model is no longer viable: it simply can’t keep up with the pace of modern business. It creates bottlenecks and lost productivity. It slows down innovation and leads to frustration.
Instead, a new, more agile model of application development puts the responsibility for security into the hands of the developers themselves, from the planning stage of the application, in its code development and right through to its deployment and operation. By building security considerations into every stage of the software development lifecycle, there’s much less chance of security vulnerabilities ever appearing and, at the same time, flaws can be detected and fixes applied faster.
CFOs in the cybersecurity seat
CFOs should have a seat at the cybersecurity table to keep tabs on risk mitigation, ensure tech investments are providing returns for the company, and review internal processes so the organization is making the most of employee skill sets.
Keeping an up-to-date database of vulnerabilities that can provide steps to remediate the issues uncovered is one way to address the CFO’s risk concerns. Automated scanning increases the security of software, slashing the risk of data breaches, and the consequent business disruption and reputational damage. It also yields very healthy productivity gains, which again, is of particular interest to CFOs.
The way internal security teams are structured and how to maximize teams’ times and areas of knowledge is also a key area where CFOs should pay attention. Once, scaling up security teams was a very challenging and expensive business. In more modern organizations, developers are empowered to deal with most security challenges. This allows internal security teams to focus on larger-scale problems and devote their newly freed-up time to coordinating and training developers in their security practice, as well as addressing those thorny non-technical security issues around governance and policy.
Making developers front-line guardians of security is a logical response to the shortage of cybersecurity pros, and adds cybersecurity readiness and prevention to the development phase. DevSecOps also helps the CFO look at the entire ecosystem to ensure business operations are sound and the business can flourish.