The role of the CFO has changed markedly in this fast-paced and digitally transformed world. While their core responsibilities – such as auditing accounts and overhead costs – were previously internal, many CFOs are now involved in the cybersecurity process. This focus on cybersecurity is incredibly important because it affects the productivity and viability of the business, two key areas for the CFO.
Today, every business is a digital business. Economic performance is closely linked to a digital ecosystem powered by the Internet and the cloud. With such rich and sensitive data in the cloud, millions of dollars are being spent on protecting that data. This gives the CFO a greater interest in reducing risks and achieving maximum productivity so that the business can run smoothly and without incident. Let’s take a look at these two factors.
The goal of CFOs is to reduce the risks of doing business. Their main goal is to protect the bottom line and ensure the viability of the company. Both are at stake if a cyber attack takes place. A recent study showed that the average ransomware attack costs an organization $ 1.1 million, and that further attacks and extortion attempts are a very likely consequence of paying the ransom.
Cyber attacks are becoming more sophisticated and the economic consequences can be devastating. For example, look at recent Log4j attacks. We are still evaluating the economic consequences, but remember that it cost Equifax $ 700 million in a 2017 data breach that affected 147 million people.
The CFO must not only worry about the financial consequences of the attack itself, but also with the legal costs and reputational damage. Consumers’ concerns about the security of their personal data after a breach have seriously damaged many businesses, and not all businesses have been able to recover.
The real economic loss is the downtime for critical systems and the lack of productivity during outages
In the event of a data breach, the CFO looks at the impact of the stolen intellectual property. However, the real economic loss is the downtime for critical systems and the lack of productivity during outages. This is where the obvious technology gaps and the entire organization’s risk management framework become visible. What tools has the organization invested in, what internal processes are in place, and how quickly can this situation be resolved before the company suffers further losses? This is where the CFO must evaluate people, processes and resources.
As an industry, we are currently facing a shortage of security professionals, which puts organizations at great risk. Adding cybersecurity to the software development phase is an important opportunity to reduce risk, save on investments in security tools and improve processes in internal IT teams.
No longer viable
Previously, developers created applications, which they then handed over to security teams for review and approval, which then either sent the code back for modification or forwarded it to the operations team for implementation. That model is no longer viable: it simply can not keep up with the pace of modern business. It causes bottlenecks and loss of productivity, inhibits innovation and leads to frustration.
Instead, a new, more agile model of application development places the responsibility for security in the hands of the developers themselves, from the application planning phase, through code development, through implementation and use. By incorporating security considerations into all stages of the software development cycle, there is much less chance that security vulnerabilities will ever occur. At the same time, errors can be detected and remedied more quickly.
CFOs need to sit at the cybersecurity table to reduce risks
The CFO as a cybersecurity expert
CFOs need to sit at the cybersecurity table to reduce risk, ensure that technology investments pay off for the company, and evaluate internal processes so that the organization gets the most out of its employees’ competencies.
Maintaining an up-to-date database of vulnerabilities that can provide steps to address the issues identified is one way to mitigate CFOs’ concerns about risk. Automated scanning increases software security, reduces the risk of data breaches and the resulting business disruption and reputational damage. It also provides very healthy productivity gains, which in turn is of particular interest to CFOs.
Important focus area
The way internal security teams are structured and how to maximize team time and areas of knowledge is also an important area that CFOs need to be aware of. Once upon a time, scaling security teams was a very challenging and expensive affair. In more modern organizations, developers are empowered to solve most security issues. This allows internal security teams to focus on major issues and spend their recently released time coordinating and training developers in their security business and addressing non-technical security management and policy issues.
Making developers first-line security officers is a logical response to the lack of cybersecurity professionals, which adds cybersecurity preparedness and prevention to the development phase. DevSecOps also helps the CFO look at the entire ecosystem to ensure that operations are sound and that the company can thrive.
Author: Ken MacAskill, CFO Snyk
Follow Executive Finance on LinkedIn!