"Are we Secure?"
“Are we secure” is a terrible question that CISOs hate to hear. It shows a lack of understanding of security and risk in general. Rather questions should be about “what’s the cost of” and “what’s the likelihood of”. Cybersecurity is all about risk, managing risk, and supporting operations to do the appropriate thing for the risk involved. This blog post is to support you so that you can be more effective in supporting your organization’s security program.
As a Chief Financial Officer (CFO), you’re responsible for not only managing your company’s finances, but also its overall risk strategy. This includes securing your company’s data and systems from cyber threats. In today’s digital age, cybersecurity risks are growing more prominent and complex. To ensure that you’re implementing the latest and highest standards of cybersecurity, there are key questions that you need to know about. In this blog post, we will discuss the top five questions CFOs need to ask about cybersecurity and how to answer them.
Top 5 Questions for A CIO About Cybersecurity
1. What are the cost floor and ceiling risks for various scenarios based on the level of funding you currently have?
As a CFO, you understand the importance of financial analysis and ROI. It’s essential to evaluate the cost of risk and its impact on the company’s financial health especially in worst case risk scenarios, like ransomware, privacy data breach, or payment card breach. Knowing and understanding the potential costs of these risks help inform investment and business decisions. A simple tweak or change to policy or an infrastructure investment may pay for itself in reduction of breach likelihood, compliance penalties, or cybersecurity insurance reduction.
2. What are the metrics and current effectiveness of our headcount and investment in addressing these scenarios above and overall cybersecurity risks?
CFOs are well-versed in the language of finance, adept at analyzing numbers and metrics to gauge the effectiveness, efficiency, and profitability of a business. Similarly, CISOs should employ the same approach in their programs, with the responsibility falling on the C-level to request these metrics. However, CFOs must remain vigilant, understanding that numbers can be manipulated and risks can be downplayed (as exemplified by the Solarwinds incident). To mitigate this, it may be beneficial to engage third-party auditors for routine annual reports, mirroring the practices of the Big 4 firms during their annual audits within your organization.
3. How does regulatory and compliance environments impact our cybersecurity strategy and what is the expected resourcing (financial and headcount) needed to address them?
CFOs should be aware that operating environments, cybersecurity standards and regulations are continually evolving within every industry. It’s essential to understand the regulatory and compliance environment of your company and ensure compliance with any applicable regulations, regulatory bodies (i.e. SEC), or standards such as SOX, SOC, GDPR, HIPAA, and CCPA, not to mention the newer state-specific privacy acts and industry acts, like the Texas Privacy and Security Act and the New York RFCs relating to hospitals. Not being compliant with these standards can result in hefty fines and penalties as well as loss of reputation. Being knowledgeable and understanding the barriers to compliance helps inform resourcing and investment decisions if the juice will be worth the squeeze.
4. What is the potential impact of our insurance premiums on our cybersecurity strategy? Can we offset these?
Per Bloomberg, US cyber insurance premiums surged 50% in 2022 as increased ransomware attacks and online commerce drove demand for coverage. Premiums collected from policies written by insurers reached $7.2 billion in 2022 and tripled in the past three years.
Clearly, the problem is that the risks to insurers are not offsetting the amount of premium coming in…thus the prices goes up.
The CFO likely examines two primary spending categories related to Cybersecurity, depending on how they are reported within the overall budget and financial statements. These categories are Insurance Premiums and Cybersecurity expenses. The latter encompasses capital expenditures, operational expenses (such as consulting and SaaS products), and headcount spend.
There are strategies to reduce cybersecurity premiums. Chatting with the CISO and making targeted investments in the cyberprogram can mitigate risks for the insurer, usually offsetting the increase in premiums. It is advisable to initiate this conversation at least a few months prior to the renewal date as most decisions on premium and risk of the insured usually are in response to a questionnaire and industry trends.
5. What keeps you up at night? How can we support you?
CISOs are deeply involved in company operations and stay up-to-date with emerging cybersecurity issues. They possess an intimate understanding of potential vulnerabilities and worst-case scenarios across the business. While CISOs don’t necessarily envy the role and challenges faced by CFOs, both positions share the common goal of managing risk within their respective domains. By asking this question, you can gain insights, cultivate empathy, build relationships, and establish meaningful connections.
Finally, the role of a CISO is often underestimated, sometimes not even given a seat at the table. However, as a CFO, you hold a crucial position in ensuring your company’s readiness to handle and mitigate cybersecurity risks. By partnering with the CISO, you can forge a valuable business alliance that not only saves costs but also reduces operational risks. By asking the right questions and implementing an effective cybersecurity strategy, you can further safeguard your company’s financial health and protect its reputation.
In today’s technology-driven world, where companies increasingly rely on advanced technologies like AI, cybersecurity should be regarded as a critical business function. It is imperative to stay well-informed about the latest threats, regulations, and best practices. In an upcoming blog post, we can explore how governments can influence these decisions and why it is crucial for businesses to be proactive rather than reactive.
The last thing you want is to have a government or a regulator make the decision for you.
If you need help in developing your risk management and cybersecurity program or need a 2nd look at what you have, give us a call. We’ve been there.