In my previous blog, I shared some thoughts about why a strong CFO-CIO collaboration is the key to success in the digital world. With five new types of cyberthreats popping up every second, business success is about more than just innovation and growth. It is also about protecting the company’s intellectual property, reputation and shareholder value – and this means incorporating a comprehensive security strategy.
Even though CFOs fully understand the reality of cyberthreats and they have witnessed the financial and reputational impact of attacks, they don’t always recognize the need for their involvement in a cybersecurity strategy. But, here again, it is the joint responsibility of the CFO and the CIO to protect the company’s key assets, and that includes the digital ones as well. Only by working hand in hand will they bring cybersecurity awareness to a higher level within their company. Being a CFO myself, and with assuming my share of the responsibility for the company’s assets, I thought I would share some of my experiences with you and explain why such a step is becoming much more than a necessary evil.
Attacks are inevitable
“It can’t happen here.”
This is a sentence I used to hear when visiting customers. But the truth is, we all know now that nobody’s 100 percent safe in the modern age, either on a personal level or from well-publicized, organization-specific ransomware cases like WannaCry (300,000 computers infected) and NotPetya (several well-known multinationals in panic). Add to this daily reports of data breaches involving major retailers, financial institutions, internet companies and even dating sites, and it is not very difficult to understand why individuals and businesses alike are becoming less self-assured when it comes to cyberthreats.
I am convinced that there are only two types of companies: those that have been hacked and those that will be.
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again,” said former FBI director Robert Mueller, quoted in the Connected CIO booklet from Dell EMC.
Understandably, today’s businesses would prefer to stay off the radar of cybercriminals. Even the most serious banks now play it low-profile. The key is to not tempt hackers, whose favorite techniques now include cryptojacking or fileless malware. In a recent IMF blog, Christine Laguarde estimates the cyber risk for the financial sector, labeled as a significant threat to the financial system. The IMF suggests that average annual potential losses from cyberattacks may be close to nine percent of banks’ net income globally, or around $100 billion. These are staggering numbers, indeed, and do not even cover the worst case scenario. Taking into account that the financial sector has always been one of the most protected segments, this leaves much room for thought about the extent of potential losses in other sectors such as manufacturing. The figures above are based solely on those data breaches that are publicly known. This is just the tip of the iceberg, and I would bet only cover something like 10 percent of the all the real cases.
Traditional ‘product’ approaches not enough
Last year, a leading manufacturing company specializing in personal care was crippled by a huge data breach. They turned to my employer, Dell EMC, to help them build and implement a multi-layer cybersecurity strategy, encompassing everything from data encryption to tape backups and cyber insurances. For years, they had been a bit lax in terms of security, but it turned out that traditional strategies, relying on a collection of heterogeneous products, were no longer enough to cope with the ever-increasing ingenuity of hackers.
Examples such as this highlight where a strong CFO-CIO collaboration can make a substantial difference. Given that the CFO is responsible for the company’s assets and the CIO is the gatekeeper of the IT infrastructure who makes security happen, they have a joint responsibility to build a comprehensive strategy that relies on more than a few randomly assembled ‘magic’ security products.
- Keep your friends close, but your enemies closer
This means analyzing all your organization’s vulnerabilities in detail and taking appropriate actions. It starts with very simple and practical solutions, such as making sure employees change their passwords regularly and log off their computers when not in use. CFOs should make sure that sufficient funding must go into workshops, training and communication efforts to raise security awareness company-wide. Do not forget to take social networks into account during this exercise. There are facts employees should never expose on Twitter, Facebook or LinkedIn if they play a role in the security chain, such as holiday times or function descriptions.
- Get your cybersecurity toolbox organized
Together with a trusted partner on the technical side, CFOs must take a hand in directing the implementation of security tools, data encryption techniques and recovery solutions. One key point in an age where data is the new oil is the ability to prioritize or tier the data that is backed up so as to quickly recover the most critical data in the event of a breach or attack, in addition, the most critical data should have the most secure and frequent backups. And that is right up the CFO’s sleeve, where they can prove their added value to the CIO, both literally and figuratively speaking.
Given that a security strategy will never be 100 percent successful (80 percent of incidents are caused by humans), the essential questions the CFO can help the CIO answer are:
- How do I protect the heartbeat of the business if I am the victim of a cyberattack ?
- What loss of assets would affect the daily operations of my business if the organization were under attack?
- How could we lose consumer confidence?
- And what could have an impact on shareholder value and our reputation in the market?
Usually, less than 10 percent of the total data needs to be recovered quickly to avoid major losses.
While the CFO frees up the necessary budgets, the CIO should offer technical advice on the IT choices as well as actually embed the cybersecurity strategy within the daily operations. For any new IT project, the Connected Partnership needs to reflect together on the security risks, finding the right balance between openness and isolation. In our interconnected world, you cannot close all the gates, but you can proactively incorporate the right tools to detect when something goes wrong. By doing so, CFO and CIO will be well-positioned to move from a strategy of detection to one of protection.
To put on my CFO hat for a moment, I confirm that lots of money does indeed flow into cybersecurity and threat prevention. But cutting costs on that post because ROI is difficult to calculate is presupposing a false economy. The risk of investing insufficiently in cyber protection is losing hard-earned goodwill for both your company and your customer. Who would take the risk of cutting costs on the smoke detectors and fire alarms in their office building?
Have a wonderful, safe and cybersecure summer vacation!