Earlier this year, New York became the first state in the nation to establish cybersecurity regulations to protect consumers and financial institutions. The regulations stipulate that companies must not only implement protocols for mitigating cybersecurity breaches, but also designate a chief information security officer.
Budget-conscious CFOs might question whether CISOs are truly needed. Shouldn’t data issues be solely the domain of IT departments? Well, until recently, they were.
How the CISO Came to Be
Just 20 years ago, the biggest data concern CFOs faced was whether transaction logs would go haywire after Y2K. Without smartphones in every pocket and data connections criss-crossing the world, firewalls were seen as sufficient barriers to hackers.
But as the digital landscape has changed, enterprise technology has struggled to keep up. Many of the systems on which companies run today weren’t designed with today’s cybersecurity challenges in mind, leaving them vulnerable to increasingly sophisticated attacks.
Now, as recent breaches suffered by Target (TGT) and The Home Depot (HD) show, attacks are whole-company concerns. After an expansive breach, the company’s brand might burn, sales might tank, and loyal customers might leave — not to mention any fines or penalties the company might incur.
Preventing and mitigating such breaches is the CISO’s job. But Deloitte researchers recently found that a CISO’s stated responsibilities and real duties rarely align. Nearly 80 percent of the CISOs Deloitte interviewed said they spend significant time chasing buy-in from executives who view cybersecurity as a technical or compliance issue.
These attitudes can turn even strong enterprises into ticking time bombs. CFOs, in particular, need to realize that the CISO’s job isn’t to keep a particular financial figure in the black. It’s to prevent a catastrophe — and, if one occurs, to mitigate it — thereby keeping the entire company‘s financial figures from running red.
How CFOs Can Work with CISOs
CISOs aren’t just “security guys.” In addition to possessing the technical know-how to create and maintain cybersecurity protocols, CISOs must partner with all of a company’s C-suite stakeholders to create a culture of security.
CFOs, in particular, help CISOs prioritize effectively by connecting security risks to the bottom line. Together, they determine which cybersecurity measures best serve the company’s current and future financial interests.
CFOs can work alongside CISOs to strengthen the company’s overall cybersecurity in five primary ways:
1. Create a Security-Minded Culture.
Of the CISOs surveyed by Deloitte, 49 percent expressed doubts that they could achieve their security targets, citing a lack of organizational alignment as a key obstacle.
CFOs should make clear to their CEOs and boards that they consider cybersecurity a top priority. By pointing to the financial impacts of recent breaches, CFOs can drive home the need for organizationwide cybersecurity investments.
2. Communicate Objectives in Universal Terms.
IT jargon might seem like useful shorthand among colleagues, but it’s lost on most other departments. Together, the CISO and CFO can translate security issues into terms of risk and bottom line, preventing others from discounting them as IT items divorced from business objectives. Without the CFO’s help, the CISO’s objectives might not be seen as being of C-level importance.
3. Establish a Clear Reporting Structure.
Holding CISOs accountable without providing the authority to do their job is a recipe for failure. CISOs shouldn’t just be seen as an extension of the CIO, CFO, CTO, or any other C-level department. Just like finance, cybersecurity is (or should be) a concern across the entire enterprise.
Poor organizational alignment can handicap the CISO’s ability to identify and communicate security issues that affect the entire organization. Whether they correspond directly with the CEO, COO, CFO, or board, CISOs should be on the same hierarchical playing field as other C-suite executives.
4. Transition from Shared to Singular Accountability.
Small companies that aren’t ready to hire a CISO or are still building their security programs sometimes form committees to address protection issues. Although this structure can work, it should be temporary.
As the organization matures, the goal should be to retain security as a shared responsibility while transitioning accountability to the CISO alone. The CFO is, at most organizations, best positioned to make a call as to when the company can afford to create a standalone CISO role. In the meantime, CFOs can encourage peers to include security-based items on meeting agendas, keeping data security top of mind across the entire organization and in the boardroom.
5. Avoid the ROI “Death Spiral.”
CFOs, above all, should resist the urge to demand proof of ROI before greenlighting their CISOs’ budgets. Because the CISO’s work is largely long-term, its ROI might come years down the road. Post-spending analyses can guide future allocations and strategic decisions, but CISOs must have reasonable room to spend if they’re going to do their jobs effectively.
If you’re uncertain about whether your company needs a CISO — at least, beyond the letter of the law — look through your risk management lens for a moment. Are your vendor management, software development, and security analytics trend monitoring processes supported by strong security protocols? If not — or if you simply don’t know — it might be time to hire a CISO.
What if, as a CFO, you realize budget constraints prevent you from hiring a CISO right away? Virtual CISO services (which are allowed by New York’s law) can temporarily fill the gap.
If you choose to hire out, however, be sure that the service you select can take on the necessary range of cultural, technical, and leadership functions. Because cloud software is quickly becoming standard in business, check that the outsourced CISO understands which security responsibilities the organization shares with its cloud service providers. Most importantly, remember that accountability for the CISO’s priorities will always lie internally, so an in-house executive should oversee the service’s processes.
Fears about Y2K seem like child’s play in the age of near-constant hacks. With mind-boggling amounts of data being created and stored digitally, and with the next multimillion-dollar breach just an insecure access point away, the CISO role is no longer a nice-to-have — it’s a financial necessity.
Brad Thies is the founder and president of BARR Advisory, a cybersecurity risk management and compliance advisory firm. Brad is a recognized thought leader on security and compliance in the cloud computing space. He is a regular guest speaker at industry events, such as ISACA conferences, and a member of the AICPA’s Trust Information Integrity Task Force. Brad’s professional advice has been featured in Entrepreneur, Cloud Computing Journal, Small Business CEO, and Information Security Buzz. Prior to founding BARR, Brad managed KPMG’s risk consulting service division. He is a CPA and CISA.