Knowing The Cyber Landscape: Five Ways CFOs Can Quantify And Articulate Data Security And Privacy

By Jim DeLoach, Andersen Alumnus, founding managing director with Protiviti and Forbes Contributor

Note this article originally appeared September 8, 2020 on Forbes CFO Network and is reprinted with their permission.

Did you know that CFOs see data security and privacy to be critical priorities, often regarding them to be more vital to improve than traditional finance activities?

CFOs have an opportunity to quantify and articulate data security and privacy. For years, cybersecurity and data privacy have ranked among the top strategic risks inside boardrooms and many C-suite offices, but it may be surprising to learn that these issues also are top priorities specifically among CFOs and finance leaders. In fact, they are every bit as important as liquidity management, financial planning and analysis, and other core finance and accounting processes, according to multiple research studies (including an annual global survey of CFOs and finance leaders conducted by our firm).

Security and Privacy

Finance teams play a vital role in bolstering organizational data security and privacy capabilities. Leading CFOs are developing innovative methods for assessing, quantifying, articulating and optimizing cybersecurity investments. In addition, CFOs also must recognize their own “skin” in the cybersecurity game, as it’s essential to stay attuned to the potential for attacks targeting them personally.

With cyber threats, nothing’s changed – but everything changes

For companies worldwide, data security and privacy continue to be among their top challenges, according to the Protiviti-NC State University annual global survey of board members and C-level executives. Why? Because, despite extensive attention and resources devoted to security and privacy risks in recent years, these threats continue to evolve with regard to sophistication, intensity and attack vectors. As technology advances, so does the nature and source of attacks.

Several years ago, as companies began to defend more effectively against distributed denial of service and other malware attacks, cyber criminals shifted to phishing. As organizational communications and education efforts focused on fortifying phishing defenses, attackers pivoted to ransomware attacks. Today, more cybercriminals are exploiting COVID-19-driven economic distress by launching targeted business email compromises that leverage social engineering techniques and organizational chains of command to convince finance and accounting staffers to transfer funds to legitimate-looking accounts. Undoubtedly, new methods of attack will continue to proliferate over time.

As boards and other stakeholders become more informed about the extreme threats that cybersecurity lapses pose, their expectations are growing. Board members demand lucid, relevant and timely updates from their organizations’ CIOs and CISOs on the state of data security and privacy capabilities, as well as clear insights from their CFOs on cybersecurity investments: Are we protected? Are we spending enough? Are we investing wisely? How do we know? Furthermore, customers expect vendors (and their vendors’ vendors) to provide proof that they can secure the organizational data they access. If that’s not enough, regulators expect organizations to adhere to both the letter and the spirit of the many evolving rules and guidance they issue on data security and privacy activities and disclosures.

CFOs and their teams, working in concert with their counterparts in information security and data privacy groups, play a crucial role in satisfying all of these expectations, which drives the need for a clear understanding of the organization’s cyber risks.

Five ways to quantify and articulate cyber risks with greater precision

Stout data security and privacy defenses typically are anchored by two foundational components: (1) a current inventory of data assets that ranks or segments those assets according to their value to the organization; and (2) a framework that governs how the company prevents, detects and responds to data security and privacy breaches (e.g., the NIST Cybersecurity Framework).

While stakeholders throughout the organization help information security functions develop and advance those essential components, CFOs can strengthen their organization’s data security and privacy capabilities – and help meet board and executive management expectations – by applying their finance expertise in five key ways:

  1. Benchmark cybersecurity spending: As boards and chief executives seek to deepen their understanding of cybersecurity threats, CFOs can contribute significant value in helping CIOs and CISOs assess whether the company is allocating sufficient funds to mitigate these risks. For example, leading CFOs are benchmarking the company’s data security and privacy investments – which, in most organizations, comprise anywhere from 5% to 12% of the total IT budget – relative to industry peers. These percentages can vary greatly by industry and depending on inherent risk given the nature of the business, so it is important to calibrate this assessment properly. If a CFO discovers that only 3% of the IT budget goes toward cybersecurity while the industry average is 7%, there’s a good chance the company is underinvesting. When that’s the case, it’s important to recognize that improving the efficacy of the organization’s cybersecurity measures may require significantly higher funding – increasing the security portion of the IT budget to 10% or 12%, for example – for a couple of years before tapering it back toward the industry average of 7%.
  2. Evaluate investment allocations: Once the size of the cybersecurity budget has been assessed, CFOs should work closely with CIOs and CISOs to determine whether these funds are being invested in the right combination of capabilities (e.g., data governance, identity and access management, incident response, cyber insurance) that deliver the highest returns on investment. More boards expect management to have a firm grasp on those allocations, which help determine whether the company is spending the right amount on the right processes given the magnitude of its cyber risk exposure. For example, this analysis could identify an overinvestment in protection and detection that is leading to underinvesting in response and recovery.
  3. Monetize cyber risk: A CFO’s dollars-and-cents mindset is especially beneficial for assessing cyber risks via a quantitative versus judgmental approach so that both business value and risk value are measured the same way. Information security professionals traditionally have relied on a three-tiered risk ranking system (e.g., red, yellow, green) that offers inadequate precision regarding the financial impact cyber risks would exact if they materialized. Board members increasingly are dissatisfied with hearing that a successful cyberattack on a vendor is a “medium” risk. Instead, they want more quantifiable assessments. For example: If a particular third party suffers a breach, there’s a 30% chance that we would endure a $500,000 loss event and a 5% chance that we’d suffer a $5 million loss event. These insights should come from the CFO, and this is where quantifying cyber risks should come into play. Leading cyber risk quantification approaches rely on existing models and probabilistic simulation methods to pinpoint the cyber risk confronting an organization. This risk analysis involves a broader group of business users, asset owners and other professionals who may not have been included previously in cyber risk assessments. These stakeholders often operate closest to the at-risk data assets; thus, they know the value of what needs to be protected from a business standpoint. While these models have been deployed by leading risk management practitioners for years to other categories of risk, they are beginning to be applied to cybersecurity.
  4. Articulate cyber risk in business terms: The output of cyber risk quantification will help CFOs translate technical data security and privacy matters into business terms that resonate with board members and CEOs. In their board and C-suite updates pertaining to cybersecurity, finance leaders should keep in mind that directors and CEOs want concise answers to fundamental questions: How much would a breach cost us? Do we have enough cyber insurance? Are we doing enough to minimize risk? Are we spending enough, and are we spending on the right things? What’s the ROI of our cybersecurity spend? Quantifying cyber risks can help answer these questions in clear terms.
  5. Extending cyber risk management to third party partners … and beyond: CFOs’ cybersecurity contributions can extend beyond investment and risk management assessments to include compliance with data security and privacy policies and procedures within the finance organization’s domain. This focus covers the ever-increasing volume of sensitive data used by an expanding ecosystem of financial systems and applications as well as third parties. As organizations heighten their attention to third party risk management, finance leaders must ensure that data security and privacy matters are integrated early enough into the procurement process (a function many CFOs own). In too many cases, a vendor’s data security and privacy policies and effectiveness are treated as an afterthought as opposed to a critical selection and contracting factor.

Remember, this is personal, too

Hopefully, these recommendations offer some inspiration to CFOs to up their data security and privacy games. But there is also a more personal motivation: avoiding being victimized by a business email scam in which you “authorize” the wire transfer of $20 million to fund an urgent acquisition. Yes, CFOs and other C-suite leaders have become specific marks for such cyberattacks. Bad actors increasingly are targeting CFOs personally due to their deep institutional knowledge and privileged systems access. Phishing scams, business email compromises and other social engineering schemes directed at CFOs, other C-suite executives and key players within the finance function are surging. Greater knowledge of the cyber landscape will help CFOs and their teams keep wary and mindful of these attacks to gain access to vital data and systems.

CFOs are part of cybersecurity for the long term

CFO involvement in data security and privacy activities continues to expand, making it imperative for these executives to sharpen the finance organization’s, and their own, cybersecurity knowledge and expertise.

CFOs can no longer afford to lack a sufficient understanding of the technical aspects and requirements of appropriate security and privacy measures, nor can they continue relying solely on the data security and privacy effectiveness of their colleagues in IT and information security functions. To combat today’s evolving cyber threat landscape, traditional functional divisions and barriers must give way to collaborative integration and cooperation. The success of cybersecurity hinges not only on information security policies, processes and technologies, but also on effective benchmarking, savvy investment analysis, difficult budgeting decisions, and advanced cyber risk quantification techniques and results, all of which the CFO can deliver.