You are here
Cybersecurity: where does the CFO fit in?
Finance is one of the most vulnerable areas for cyber-attacks. The CFO needs to familiarise themselves with new IT security issues and master legal frameworks depending on their business model – an almost impossible task. How will this affect their decision-making power in terms of integrating tech – and facilitating company-wide usage of data?
Our interviews with CFOs, from SMEs to multinationals, have revealed four key ways of approaching cybersecurity.
Click below on the Pilot, Scientist, Coach and Engineer to reveal an insight from one of our interviewees on different approaches to this challenge.
“Looking after the security of the systems is an area where we are doing a lot of work.” Andrea Wesson, CFO, Eversholt Rail.
“Misconduct by anybody can risk everything.” Thiago Alonso de Oliveira, CFO , JHSF.
“We have to educate our own people to be watchful. Education at the individual level is really where the game starts.” Bob Braasch, CFO, Marathon Capital.
“It’s pretty easy for someone to send an email containing our company’s compensation data, but I have faith in my IT team that they’re on top of it.” Eugene Low, CFO, Mercer .
Cyber-attacks occur more than a million times a day. Most attacks are not successful, and few have the devastating effect of WannaCry, the well-documented ransomware that infected millions of computers across 150 countries last year. But the smaller attacks can still have a significant impact on business infrastructure and naturally, the costs run high.
CFOs are aware they have an important role to play in addressing this challenge. “Cybersecurity is very high on the agenda,” explains the CFO of an investment bank. “It’s not just a matter of putting a security patch and then you’re good for the next 15 years; it takes constant vigilance and review of your performance.”
But the question remains: what particular role should the CFO play in the process?
The Scientist: prioritise protection needs
Most CFOs that participated in the study agree that a solid understanding of data management is key. If today’s CFO wants to fulfil his or her role, there is a need to know how to filter the critical and confidential data as well as prioritise the company’s protection.
As the number of data breaches accumulate, CFOs need to be proactive and continuously partner with IT experts. The continued exposure means that it’s increasingly important for a CFO to be tech-savvy.
The Engineer: ensure compliance in procedures
Prioritising protection needs is just one part of the of the CFO’s role to ensure data protection. Usually the biggest risk is not the IT system itself – but the way employees use it. “Regardless of the quantity of firewalls or passwords, a misconduct by anybody from the group can risk everything that we are trying to protect with those tools,” says Thiago Oliveira, CFO of real estate company, JHSF.
In an approach that embodies an Engineer, Oliviera cannot over-emphasise the importance of smooth-running systems that are fully adopted by employees: “People’s compliance on system procedures is very important to keep information safe and reduce the risks of cyber-attacks.”
The Coach: educate people to be watchful
In the mode of a Coach, training personnel of the risks associated with cyber-attacks and prevention measures is fast-becoming a priority of every CFO.
“We have to educate our own people to be watchful,” says Bob Braasch, CFO of investment bank Marathon Capital, “because the threats that could have an adverse effect on us will start with somebody accidentally sending a virus on a document and trying to access our system that way. Education at the individual level is really where the game starts.”
The Pilot: find strategies to safeguard privacy
A growing number of organisations are monitoring their employees’ use of data to enhance cybersecurity, but that comes at a cost - and not necessarily a financial one.
“I think the biggest challenge for most companies is how to respect the privacy when everybody is being tracked 100% of the time. I wake up every morning with this question my mind,” explains Oliveira.
It takes the solution-oriented capacities of the Pilot to find an adequate solution, without necessarily getting into the operational detail. The balance is delicate but necessary: “It’s pretty easy for someone to send an email containing our company’s compensation data, " explains Eugene Low, CFO at global consultancy Mercer , "but I have faith in my IT team, my compliance team, that they’re on top of it. And from what I see, the situation is under control. I cannot get into the details of it. As a CFO, you have to pick your battles.”
There is speculation that the challenge of cybersecurity will eventually become too great for the CFO's team alone. As David List, CFO of the online money transmitter Conotoxia remarked: “I wouldn't be surprised if the future will lead to a new role for the executive board. At some stage, the Cybersecurity Officer will enter the boardroom."
- As finance is one of the most vulnerable areas for malicious attacks, CFOs need to get involved in managing cybersecurity.
- CFOs have to be familiar with IT security issues, ideally within the framework of many various legal systems.
- There is a real need to educate stakeholders to ensure widespread compliance.
- The complexity of cybersecurity challenges is opening up the possibility of a new boardroom role.