CFOs Don’t Worry Enough About Cyber Risk Tenable

Every executive team and board of directors is asking themselves the same question in regard to their cyber risk right now: what can we do differently to avoid being the next Equifax, Yahoo! or Target, and protect our shareholder value?

The answer involves radically reframing one of the mainstays of the C-suite — the role of the CFO. It’s no longer adequate or acceptable for CFOs to simply focus on managing the financial risks of a company. In this new era, we need to team up with our CISOs to address the cyber exposure gap, the exposed surface between known threats that are addressed and those that aren’t, either because security tools are inadequate or threats are flying under the radar. The wider the gap, the greater the risk of incidents that can cost millions of dollars in cleanup, lost business, and declining stock value.

CFOs at the most risk-aware companies are applying these strategies.

Partner with your CISO. CFOs need to join forces with CISOs in order to gain an understanding of their company’s security risk and all financial costs associated with it. Right now, there’s a disconnect between most CFOs and security practitioners when it comes to fortifying the company against cyber attacks: shows that 39% of IT practitioners don’t believe their senior management understands the impact a security breach could have on their company’s reputation. By becoming an active member of the security team, rather than just a passive observer, the CFO, along with the CEO and the rest of the C-suite, can significantly reduce revenue leakage through a more focused and effective cyber security technology portfolio. Some CFOs are working with their CISOs and CIOs to actually model their cyber exposure gap. And the most effective partnerships involve weekly cyber exposure reviews.

It’s critical for CFOs to understand where these new risks lie. We can’t ignore the security budgets and line items like we have in the past; we need to be engaged in the thinking about the strategy for the spend and for dealing with people and processes. We can’t be expected to understand the technology or how it works, but we should understand why it matters, including the role each new investment plays in closing the cyber exposure gap and setting the company up for long-term success. This requires holding our CISOs and CIOs accountable to a diversified IT security investment strategy that aligns with immediate security issues, as well as long-term digital transformation goals. With a better understanding of the cyber exposure gap and the associated financial risks, CFOs, CISOs, and CIOs can ensure that our IT security technology portfolios are built to last. Investing our security budgets in this way will not only improve our overall security posture but create dividends in the long run.