To Deal With Cyber Risk, CFOs and CISOs Must Speak the Same Language

In the traditional realms of cybersecurity, ‘security’ and ‘risk’ are always the predominant topics of conversation. But for FDs and CFOs, it’s even more reductive than that – everything boils down to one factor: risk.

It’s their job to be aware of the financial repercussions of every single risk an organization takes. Their approach to cybersecurity is no different. They want models that specifically demonstrate the organization’s exposure to risk in cyberspace, both internal and external.

Without adequate explanation as to why certain security protocols are in place, the finance function can quickly become frustrated at measures which appear to hinder their job function  

Ignorance isn’t bliss

We constantly hear that cybersecurity should be a boardroom topic – and in most cases it is. But it’s largely a futile exercise at the moment. CISOs go into the last five minutes of a board meeting to outline their most recent cybersecurity initiatives – but no one listens.

Why? Because the board doesn’t speak the same technical language as the technology people. As for CFOs, they need things explained in a way that easily translates into their risk-modelling frameworks.

This leaves us at a bit of an impasse. Cybersecurity teams, constantly focused on defending the company in cyberspace, become isolated from the wider organization and the implications their initiatives may have on their colleagues, particularly from a financial perspective.

They also become detached from the activity of accounts with privileged access – such as CFOs – and miss potential indicators of a security vulnerability, an impending data breach or an inside threat, such as a disgruntled employee.

Likewise, without adequate explanation as to why certain security protocols are in place, the finance function can quickly become frustrated at measures which appear to hinder their job function. They may choose to ignore them, potentially exposing the company even further to the risk of a catastrophic data breach.

 

Creating a dialogue

Organizations should therefore seek to create a reciprocal dialogue between these core business units, so they understand the implication of security policies on critical business accounts and transactions, and vice versa.

This means encouraging cybersecurity teams to avoid technical jargon and speak to the finance function in a language they understand, so their messages resonate more clearly. CFOs and FDs, in particular, have the best view of the entire threat landscape of their organization, so the security leadership team must be trained to converse with them in a way that provides effective defense against cyber threats.

Doing so will help both business units identify and nullify potential threats to the business – both internal and external – early, helping ring-fence security at the heart of the enterprise and prevent a costly cyber attack.

Taking a security-first approach

But that’s not enough. It’s also about educating your workforce about the implications of a constantly changing digital environment. Almost every company out there has heard the ubiquitous calls for a ‘change of attitude’ to cybersecurity by now. But how can their employees put this new attitude into action without practical guidance?

Aside from cybersecurity awareness training, which should be a requirement for every employee, finance teams must be trained to report potential vulnerabilities and attacks as soon as possible.

Secondly, they should be made to consider the implications of their actions from a cybersecurity perspective. At every turn, they should think how their actions may increase the business’ exposure to attack.

This may require involving the CISO in strategy or business development meetings, for example, as well as in board meetings, so they are aware of recent initiatives and can express their security concerns from a business viewpoint. 

  • 1
  • 2
  • Next page