By Steve Durbin, Managing Director, Information Security Forum
Today, the threat of a cyber-attack is firmly at the top of every boardroom agenda. This means that with the complexity facing organizations – globalization, computing infrastructure, threat vectors, and criminal organizations—only a collaborative, strategic and enterprise-wide approach to cybersecurity will suffice.
But in this difficult environment, most organizations are not sufficiently protected against cyber-attacks. This, despite years of effort and multi-billion dollar annual global spend.
Even if an individual organization’s defenses are robust and continuously optimized, dependencies on supply-chain partners and third-party services introduce vulnerabilities beyond its direct control.
This was made painfully clear by the recent revelation that an international hacking ring stole hundreds of thousands of financial press releases and made illicit insider trades on the advance (unreleased) information, resulting in at least $100 million in profits for the criminal participants.
The hackers were able to access the not-yet-public financial reports by breaching wire services, an essential yet clearly neglected link in Wall Street’s information operations.
This is an Excellent illustration of the need for cybersecurity engagement across the C-suite and Board of Directors. After all, what does the average CIO or CSO know about the inner workings of financial news systems? Who would know?
The Chief Financial Officer (CFO), in whose purview fall investor relations, financial reporting, and SEC compliance. Until recently many CFOs may not have been considered an essential part of an organization's security team. As incidents become more common and their impact more widespread, CFOs are regularly being called upon to help promote cybersecurity by assessing risks and their implications, financial and otherwise. This trend will certainly intensify in the wake of the news wire breach.
The Newest Member of the Security Team
CFOs have a major role to play in the daily running of an organization. Their work with financial analysts and investor relations has always prompted concerns about loss of control over information. They are also concerned with the loss of funds through theft, waste, or a third party’s misfortune.
It doesn’t take much imagination to see they have good reason to be alarmed. The information under the CFO’s control—including revenues, profits, investments, acquisitions, and forecasts—is some of the most sensitive and important data found within any organization.
To fulfill their fiduciary duties, CFOs must cultivate a deep understanding of where this vital information is at all times. How it is secured. Who might want to steal it. And most important, how they might gain access to it.
The CFO has the responsibility to provide plain, true and complete disclosure to the Board on a wide range of issues. Their assessments and disclosures should include the potential impact of cyber attack on the financial standing of the organization.
Many leadership teams are struggling with the risk versus reward balance when it comes to weighing opportunities in light of cybersecurity threats. Even in mature, relatively secure organizations, cyber threats sit firmly at the top of the boardroom agenda. The CFO has an important and ongoing role to play in risk assessment, incident management, and incident response planning—key components of any security strategy. Analyzing the feasibility and cost effectiveness of cyber insurance and security solutions also falls in the CFO’s area of expertise and advisement.
Finance executives should integrate security risks into their larger decision-making processes around investments, procurement, and partnerships. This is no small task in a constantly shifting technology and security landscape. To be agile enough to make informed decisions in a timely fashion, CFOs regularly refresh audits, risk profiles, asset inventories, and supply chain maps.
Cybercrime-related intelligence relating to emerging threats should be reviewed by the CFO on a regular basis to determine:
- The extent to which the organization is at risk of a cybercrime-related attack
- How targeted information could be used by criminals
- The techniques used by criminals to perform cybercrime-related attacks
Guardians of the Enterprise
As the breach of financial wire services aptly demonstrates, attackers have become more organized, sophisticated, and dangerous. They are able to operate undetected for extended periods, intensifying the damage done to both reputations and bottom lines. Cybercriminals and hacktivists increasingly target brand reputation and the interdependencies amongst suppliers, customers and partners. CFOs can defend against these attacks by identifying and prioritizing the protection of their organization’s most valuable data, assets, and relationships.
If (and when) a data breach occurs, it's important to limit its impact and the potential impact on the organization's reputation. CFOs need to ensure they are fully prepared to deal with these ever-emerging challenges, as a key player in a collaborative, enterprise-wide incident response team. They can be instrumental in preserving brand reputation by clearly communicating security measures to all stakeholders, including customers, before and after incidents. Specifically, they should be instrumental in crafting and rehearsing the portion of the incident response plan that involves communicating with shareholders, partners, suppliers, and customers. The faster, more credible, and more thorough the post-breach response, the less damage will be done to reputation and bottom line.
Strategic Cybersecurity Builds Resilience
Traditionally, risk management focuses primarily on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach. Organizations must extend risk management to include risk resilience. Once we acknowledge that preventing breaches is impossible, mitigating damage from cyberspace activity becomes the focus, and building in resilience is the best way to manage risk and respond to threats effectively.
Cyber resilience anticipates a degree of uncertainty; it recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyber-attacks regardless of their best efforts. Above all, cyber resilience is about ensuring the sustainability and success of an organization, even after it has been subjected to the essentially inevitable attack.
Although CFOs have not commonly been viewed as a vital member of the security team at most global organizations, they have always played an important role in advocating for, and pursuing, critical investments that promote long-term business growth.
Given the risks that cyber security threats pose in a technology-driven, global economy, today's CFO must bring their expertise to bear on enterprise security as an essential approach to protecting the company's reputation, stock price and most valuable information.
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.