Understanding the CFO’s Cybersecurity Role in the Age of COVID-19
Senior executives understand that today’s global economy is still not adequately protected against cyberattacks, despite years of effort and multi-billions in spending each year. Until recently, many chief financial officers (CFOs) may not have been considered an essential part of an organization's security team. And many may not have understood how to respond to security risks and the implications for their organizations.
Times have changed and many CFOs are now being called on to help promote cybersecurity and identify threats. Today, CFOs play a significant role in the daily running of an organization. For starters, they are responsible for loss-of-control over their financial reporting as well as the potential loss of funds, either through theft or as a direct result of a third-party’s misfortune. The information that the CFO controls and works with daily is some of the most sensitive and important in an organization.
The CFO must understand where information is always, how it is secured, who might want to steal it and how they might gain access to it. Most importantly, the CFO has a duty to provide plain, true and complete disclosure to the board on a wide range of issues that many would argue should include the potential impact of a cyberattack on the financial standing of the organization.
Protecting the organization’s reputation
Attackers have become more organized and sophisticated, and all threats are more dangerous and pose more risks to an organization’s reputation. Cybercriminals and hactivists are also targeting brands’ reputations and attacking their relationships with suppliers, customers and partners.
With the speed and complexity of the threat landscape changing daily, we are seeing organizations left behind, sometimes in the wake of reputational and financial damage. If (and when) a data breach occurs, it's important to limit its impact and the potential impact on the organization's reputation. CFOs must ensure they are fully prepared to deal with these emerging challenges by equipping their organizations to deal with attacks on their reputations. The faster a company can respond to attacks on its reputation, the better the outcomes.
Adopting a resilience-based approach to cybersecurity
Cyber-resilience requires the recognition that organizations must prepare now to deal with severe impacts from cyberthreats that cannot be predicted or prevented. This requires a high degree of partnering and collaboration both across the organization and outside with industry bodies, law enforcement and like-minded businesses. This must be combined with the ability across the organization to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of such incidents.
For this to work, four key things to be in place:
- Sound governance: The organization will need to have an effective governance framework for monitoring cyberactivities, including collaboration with partners, along with specific risks and obligations incurred through cyberoperations.
- Situational awareness: Companies need a tried and tested process for gathering, analyzing and sharing cyberintelligence.
- Resilience assessment: Firms will require a process for assessing and adjusting resilience to the impacts from past, present and future cyberactivity.
- Response: The organization should be capable of preventing, or at least detecting and responding to, cyberincidents in order to minimize their impacts on the business.
Implications for businesses continue to emerge as they deal with supply chain disruptions that affect inventory levels, loss of sales orders, travel restrictions, unavailability of employees, government shutdowns and temporary closures. Further consequences of the current pandemic remain unknown; however, they could extend to degraded health services, increased anxiety in the workforce, staff fear of infection and civil unrest due to misinformation.
At the same time, we have seen an increase in cybercrime targeting the COVID-19 “opportunity.” Not restricted to ransomware attacks on hospitals, cybercriminals are also targeting remote workers who are accessing corporate systems from unfamiliar work environments – their homes. In the US, the FBI has seen a quadrupling in cybercrime reports compared to before the pandemic. These include setting up fraudulent charities, fraudulent loans and extortion along with an increase in traditional phishing and malware.
The changing threat landscape requires risk management and security practitioners to pay close attention to how exposures will change over the coming months and the circumstances that will influence the level of protection. As business processes, working environments and technologies continue to change, gaps in protection will emerge, requiring prompt attention from the C-suite, with the chief information security officer and CFO leading the charge.
Far too often, organizations implement measures to prevent cyberattacks in response to a data breach. A meticulous CFO can save the company the embarrassment and financial impact of a major breach by taking proactive steps in anticipation of targeted attacks. Companies should take the time to develop a data breach response program. They must also rehearse various scenarios before an incident occurs.
COVID-19 has provided the opportunity to not only rehearse but also test response scenarios. Risk management has traditionally focused on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace has outpaced this approach and it no longer provides the required protection, as many organizations have discovered. Going forward, organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any damaging impacts of cyberactivity.
Cyber-resilience anticipates a degree of uncertainty. It’s difficult to undertake comprehensive risk assessments about participation in cyberspace. Cyber-resilience also recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyberattacks regardless of their best efforts to protect themselves. Above all, cyber-resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack. But at what cost, some may say? This is the question CFOs worldwide are now having to address as they look to get their organizations back to post COVID-19 work.
For some companies the response, understandably, to the severe economic impact of the pandemic may be to rein in spending until the business climate has a chance to stabilize and establish its new normal. All too often that means CFOs switch spending to critical elements only, and rightly so. But what has been made clear throughout the COVID-19 crisis is that organizations of all sizes are so dependent upon technology and cyberspace to transact business that cybersecurity is now one of those critical areas requiring continued investment. Furthermore, through targeted investments, business benefits can be derived that more than justifies the costs.
Let’s look at a few examples:
- Home working and the associated cyberthreats have raised the risk of cyberattack for many organizations, which requires a review of key policies and standards to ensure that these vulnerabilities are addressed and do not turn into opportunities for cybercriminals to wreak further damage.
- Supply chains are under pressure with perhaps the traditional approach to ensuring security, largely in-person and on-site validation of security measures, something of the past. Revisiting minimum acceptable security requirements for suppliers, applying amendments to existing and new contracts, and adjusting the stringency of requirements are essential activities to reflect the changes brought about by the pandemic and to ensure that appropriate levels of assurance are in place.
Business-risk appetite is likely to have changed in favor of availability of service over confidentiality and integrity during the crisis. How should the post COVID-19 business respond and reset its risk appetite? What might be the associated costs both short- and long-term associated with such a change in stance?
No one is suggesting that CFOs throw themselves into being security experts overnight, but every one of them should be having discussions with both risk and security to identify the compulsory spending requirements to ensure that their organizations don’t simply return to work but are also protected from the next wave of inevitable cybercrime activity that will accompany the transition back to the new work environment and beyond.
The road to implementation is paved in gold
For some, they may already be on the road to implementation. For others, this will be new and may require a focus and alignment of cooperation and collaboration across the business and its necessary stakeholders.
A scrupulous CFO can save the company the embarrassment and financial impact of a major breach by taking proactive steps in anticipation of targeted attacks. Companies should take the time to develop a data breach response program. They must also rehearse various scenarios before an incident occurs.
In the past, while the CFO has not been viewed as a vital member of the security team at most global organizations, these executives play a significant role in advocating for and pursuing critical investments that promote long-term business growth. Given the risks that cybersecurity threats pose in a technology-driven, global economy, today's CFO must focus on cybersecurity and ensure that adequate steps are taken to preserve and protect the company's reputation, stock price and most valuable information properties.
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cybersecurity, digitalization and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.