Why CFOs Need to Start Paying Attention to Security
The current cyber security landscape is bringing itself to the forefront of company priorities, especially CFOs.
The reason for this can be attributed to the coming trends in security, especially in the way that the current state of security and the coming changes impact the bottom line of an organization. As companies start to pay more attention to security, CFOs need to pay attention to the impact of their security spend.
But why now? Here are our top five reasons for CFOs to start tuning in to cyber security.
Your Customers Care About Security
Almost every organization is interconnected with its business partners, clients, and suppliers through technology. If your organization sells through business-to-business relationships, these interconnections can create a breeding ground for cyber attacks. One partner or supplier’s vulnerability can become your own.
Because of this, your customers and partners are increasing the security requirements their business partners must meet. As a CFO, this can have a few impacts:
1. Last-minute fixes can be expensive to implement, which can destroy your margin and overall financials on a deal.
2. When a prospect gives you a long list of security conditions before doing business with you, this can impact your timeline and slow revenue acquisition and/or recognition.
3. Many security requests are often associated with a certain type of security certification such as ISO 27001 or SOC. This means that these changes are meant to exist perpetually in your security environment, even after the deal is closed. They can impact your bottom-line costs, especially if they’re not operationally efficient.
4. Companies are removing liability caps on cyber insurance in B2B contracts. If your organization isn’t secure, you’ll have to pay a lot for cyber insurance.
The AICPA Cares About Security
As noted in the previous point, customers care more and more about the security of their potential service providers. They want proof, usually in the form of a certification or compliance with specific best practices.
One such framework growing in popularity is AICPA’s (American Institute of Certified Public Accountants) cyber security reporting framework. The key component of this framework is the SOC (System and Organization Controls) for cyber security process.
These processes and engagements are performed by accounting firms and require a CPA to report on the enterprise-wide cyber security risk management program.
Because of the skill sets and relationships with accounting firms required to perform these reporting activities, this often falls into the lap of the CFO to arrange and figure out.
Be Prepared for Unexpected Security Surprises
Surprises in cyber security are rarely ever a good thing, and they’re often very expensive when they come up. The reason for this is because time plays an important role in the information security discipline.
The longer a vulnerability lives in an environment, the more likely that vulnerability will be exposed and exploited.
This means that everyone in security wants everything fixed immediately. But the faster you want something fixed, the more expensive it ends up being, compounded with the fact we live in a time with a shortage of people available to fix it.
If your company’s security environment is immature from a security perspective, you won’t know what issues could come up as a result of a customer request or during an audit. It becomes an expensive game of plugging in the gaps as they appear.
The potential of a cyber security breach is another stressful surprise that could happen. If your organization doesn’t have a retainer agreement with a response team in place, or have an internal response team, prepare to pay high hourly rates for forensic incident response engineers and legal teams.
An added problem is that most security professionals won’t know how many hours they need to respond and remediate until they start working on your environment. “Fixed bids” don’t exist in the world of security incident response.
Companies are Spending More Money on Cyber Security
Boards are demanding that organizations pay more attention to cyber security and are approving larger spends for the sake of implementing more effective strategies.
Since these budgets are large, CFOs have to play a more active role in understanding and shepherding these projects and initiatives through the process.
Although the approach to implementing an effective cyber security program is the same, regardless of the type or size of an organization, it’s hard to predict the costs.
One of the reasons that security programs are so expensive to build and operate is because organizations have larger and larger technology environments. New technologies are continuously added to the environment without shutting down legacy programs or technologies.
Security resources are also at a premium, as experienced security resources are in high demand and the shortage is growing.
Hard and fast rules like the security spend being 10% of the IT budget are rules of yesteryear. If anyone is giving you these kinds of ratios, it’s clear that they don’t know what they’re talking about.
Focus Your Security Efforts on Efficiency, Not Compliance
From a security perspective, you can reach the same level of compliance whether you build and resource a cost-efficient process for the sake of compliance or for the sake of having a robust security program.
Think of it this way: you can build a drawbridge that only takes two people to operate, or you can build a drawbridge that does the same thing but takes five or ten people to operate.
Security best practice and compliance frameworks only care that your security program meets certain requirements. Frameworks don’t care how expensive it is to implement these requirements or maintain these processes, or the impact that they have on other aspects of your business.
Organizations are learning this lesson painfully, as they build security programs that take more people to operate than they have available. CFOs can help in making sure that processes are efficiently designed for the sake of maintaining the overall cost of security.
In the next article, we’ll look at what CFOs can start doing to stay on top of cyber security in their organization.