Cyberattacks on operational technology (OT) are increasing in complexity and severity. The modern cyber criminal is well-organized, well-financed and willing to wait for the right opportunity to strike.
The Chief Financial Officer (CFO) plays a crucial part in ensuring that the investment in cybersecurity matches not only the potential risks, but mirrors the value and importance of the company’s infrastructure, from financial systems to operational technology networks. In some organizations this can be viewed as a cost drain. As such, investment levels tend to be far too low relative to the scale of the risk.
It is not uncommon for security teams or their executives to be rewarded based on reduction in expenditure vs budget, breeding an alarming culture of penny pinching each year. This short-term thinking is putting organizations in jeopardy, and at risk of everything from data breaches to system hacks. A boardroom, including the CFO, that recognizes the devastating effect a cyberattack can have, both financially and reputationally, will be better placed to protect their ‘crown jewels’ from this new age of cybercriminals.
There is an opportunity to engage the CFO in the full spectrum of cybersecurity and the potential mitigations, from IT to OT networks. Great CFOs don’t act as a blocker or barrier, but are ready to invest in comprehensive and robust cybersecurity systems. Here’s how to make sure your CFO is one of them.
Make clear the opportunity cost
There is, of course, a cost to cybersecurity systems, but the cost to not having them is even greater. The average cost of an attack has been rising rapidly and now stands at $3.9 million, according to the annual Cost of a Data Breach Report by IBM and the Ponemon Institute, although this rises to $8.64 million in the U.S. This includes costs of OT systems and hardware, disruptions to critical activity resulting in down time and business lost, and fines.
When put in this context, the investment in cybersecurity will seem minimal. Businesses that rely on insurance as mitigation may feel that they are covering the financial cost, but this does not take into account the cost of reputational damage, which can far exceed any monetary loss. Further, the insurance market is taking a tougher stance due to the rising frequency and scale of cyberattacks. This makes it a multi-faceted challenge for finance leaders.
Think about long term sustainability
Cyber resilience is about ensuring the continued success of an organization. Business continuity, reputation and finance are all at stake, but also the potential for injury and even loss of life. Imagine how much money would be lost if you were unable to service clients, and the reputational damage of a splash across the headlines. To continually win new business you need to be able to show you are diligent and trustworthy, and cybersecurity plays a big role in this. Data security of users and clients is increasingly important, and customers will not want to do business with you if their own information is seen to be at risk. Similarly, vendors will harbor concerns about stability and ultimately shareholders will become worried about performance.
See cybersecurity not as an IT overhead but an OT asset
Cybersecurity is not just a tick box or policy adherence exercise, brings huge value. It’s about more than systems and software of IT, but full and essential OT. The CFO’s remit spans the entire business, meaning they are perfectly positioned to support cybersecurity efforts spanning the entire estate. They are able to look at the technology and systems and what investment in them can bring the business from a strategic standpoint.
Improve the risk management framework
The CFO needs to finance things that are business critical. If the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Senior Management Team (SMT) make cybersecurity part of everyone’s role, from team members to those at the top of the organization, it ensures it is ingrained in policy and procedure. By having this shared visibility and responsibility, it will be clearer as to why it needs financing, not just as a cost center, but an enabler. Cybersecurity is about protecting the assets that are of value to your company, and so should be embedded in everything that you do. Effective governance is essential to business success.
Help them mitigate potential risks
Across the business we are constantly putting plans and procedures in place to mitigate risk. And most often this risk is based on potential risk, rather than historic experience. Just because it hasn’t happened doesn’t mean it won’t. In fact, threats are constantly changing and cyber criminals are increasingly diversifying the comprehensive strategies that they use to infiltrate organizations. Most businesses have smoke alarms or defibrillators yet have never had a fire or someone have a heart attack during the working week. They have this equipment installed to minimize the impact of any future disaster. The same is true of cybersecurity.
CFOs should think of cybersecurity as part of the package that a business has to mitigate against risk and maintain fully functioning OT at all times to ensure business activity can proceed as normal. CFOs should therefore be discussing cyber-risk exposure with their CIO and CISO regularly. This ensures it doesn’t just get thought about on an annual basis but is front of mind all year round. That regular reminder of why it is so important will help ensure that it is viewed as a business-critical expense that needs to be fully backed financially.
Use their expertise
Your CFO does not have to be a cybersecurity expert, but their risk management skills will be essential to asking the right questions around issues such as where data is stored and who has access to it. They especially understand the risks and issues presented by protecting financial data. By ensuring that your CFO is part of the process for assessing risk, identifying assets and selecting vendors, they become part of that process of essential cybersecurity.
Present a united front
The CFO is a business-critical part of strategic and functional operations across the organization. Businesses fall prey to cyber-attacks when they have a weak link. We think of clients as castles, and all of the battlements need to be strong. This includes everyone from the CEO to the cleaner to the connected systems used to make the business run. Vigilance and security are crucial across the board are essential, and the CFO is an integral part of that.
Cybersecurity has been an essential part of business for a long time. In a world where more and more of us are geographically dispersed, more devices are connected to the internet and where cyber criminals are getting increasingly sophisticated, it needs to be a top priority for all organizations – and all members of those organizations, including the CFO. By bringing your CFO along on the journey and making it clear why investment in cybersecurity is such a business-critical expense you will make it easier to get that much needed sign off.