Hadley Baldwin
Cyber attacks are becoming ever more prevalent, sophisticated and damaging. But making investment decisions in a cash-constrained environment is tough.
Balancing investment across risk reduction and value creation is key. With the cyber threat landscape evolving, the central challenge for you as a Chief Financial Officer (CFO) is how to respond and ensure external stakeholders (shareholders, auditors, insurers) are satisfied.
The resulting questions for you as a CFO include:
As with any type of investment, cyber spend must be underpinned by a business case justifying the benefits of the expense. It can sometimes be difficult to build buy-in if there has not been a recent threat or attack. This underlines the importance of having a clear and agreed cyber risk appetite and articulation of the potential risks and the impact of an attack in business terms, which could be any combination of financial, operational, compliance-related or reputational damage.
For example, what constitutes an ‘unacceptable”’ level of financial loss, relative to your annual revenue or EBIT? This will enable you to prioritize the investments required to reduce your cyber risks to acceptable levels. Understanding the typical levels of security investment required across similar organizations in your industry (for example, security spend as a percentage of revenue, or security spend as a percentage of total IT spend) can also provide a helpful reference point.
As a CFO, you should play a key role in both gauging the related financial risks and establishing the organization’s risk appetite for cyber incidents, building these into the broader business strategy. You can also judge what new cyber defence investments are genuinely critical on the one side, whilst ensuring you are making the most of existing capabilities on the other.
Hiring a good CISO with the right mandate and trusting them to get on and deliver is key to building cyber resilience. However, positioning the role of the CISO and cyber security function appropriately is not always straight forward and there is no single right answer.
Should it report to the CFO, CIO, or other? Is the role accountable to the Board and audit and risk committee? Is the role to set policies and standards (for other functions to meet) and then provide governance and assurance, or is the role to actually deliver cyber security? Is it a head of IT security, or a fully-fledged role across all aspects of cyber and information security, including human risk factors (awareness and training) and data governance?
All these models can work, and the right fit for your organization depends on the nature of your business, your approach to enterprise risk management, your risk appetite, and the other structures you have in place. In any case, the roles and responsibilities for managing and delivering cyber security capabilities must be clearly defined and understood by all those involved.
Working closely with auditors, regulators and investor relations, it’s important to have a clear story to tell about your cyber protection priorities, how you intend to achieve them and your organization’s performance against its cyber goals. Being able to clearly articulate the risks and corresponding control effectiveness in tangible business terms will help build trust and confidence across your external stakeholders, as well ensuring that you are set up to keep pace with evolving regulations. Clearly aligning your risks and controls to an industry standard cyber security framework (such as NIST) can also help to build confidence that you’re covering the bases. You should back this up with independent assurance from both internal and external auditors.
If the unthinkable happens and your critical data is held to ransom, you need to have a clear response plan that is well drilled, including clear steps for engaging external support and notifying the relevant regulatory bodies and law enforcement agencies. You should have a clear position on how you would handle such a situation, so that you do not waste time debating a course of action within your executive team. After an attack, the previous response plan should be revisited to reflect lessons on how to reduce the risk of, and enhance the response to, similar future occurrences.
At Berkeley, we have experience of helping CFOs answer these questions through all stages of their cyber journey. We can help you to:
Discover the key cyber-related questions other members of your leadership team should consider
Strengthen your security and readiness to respond. Read more.
Allocate the right roles and responsibilities. Read more.
Ensuring your supply chain security. Read more.
Know the right questions to ask to cut through the jargon. Read more.
Enhance your security and risk management. Read more.
Improve your ability to navigate the cyber landscape. Read more.
Create a culture of security across your organization. Read more.
Share: