According to CFO Alliance Global Advisory Board Member, Richard Swinyard, managing partner and CFO at Computer Integrated Services (CIS), a U.S.-based identity and access management and network security firm, the heavy focus on data security and compliance in the audit world is something that should be driving CFO behavior. At the same time, he adds, “If people can show that they’re ahead of the curve—that they’re going slightly above requirements—it can be a real competitive advantage.”
"I wouldn't be surprised if there was a correlation between CFO awareness around cybersecurity and the performance of their companies."
Yet CFOs still have a long way to go to get up to speed with this evolving cyber risk management and reporting ethos, says Stewart Curley, who believes there’s still some naïveté around cybersecurity. “A lot of CFOs feel that they have basic protections in place that will take care of cyber risk, not realizing that they really need to move to much more sophisticated defenses to keep up with the skills of the attackers.
“Many companies also rely too much on [data protection] insurance,” he adds, “whereas there needs to be more focus on remediation.”
CFOs also need to be forward-looking when it comes to cyber risk and not rely on compliance alone as an effective tool against cyberattacks, Curley warns. “When it comes to the cloud, for example, companies rely too much on the effectiveness of third-party audits. I’ve certainly seen times over my career where companies have met all the technical requirements from a compliance standpoint, but still had some pretty big holes that hackers could get into. Companies need to focus more on the real vulnerabilities that they have, and maybe less on the compliance or paper documentation that makes it look like they’re doing the right things.”
For a CFO, this means understanding not only the constantly changing regulatory environment but the cyber risk implications of the company’s investments in new technologies as well. According to Swinyard, although not firmly under the banner of the CFO, “we’re increasingly seeing the shift of responsibility there, or at least joint responsibility between the CFO and the chief technology officer of the company.”
Swinyard likens the evolving relationship in the cyber risk space to the one that evolved as a result of cloud computing. “If we go back five years, CFOs were being told, ‘We’re moving to the cloud because it’s going to save us money.’ Suddenly, we had to start working more closely with CIOs to figure out how we were going to implement cloud-based strategies. I think cybersecurity has become the next phase in this business relationship.”
Another reason cyber risk management is migrating toward the office of the CFO is because of ever-changing and potential future audit and reporting requirements. Swinyard notes, “We have seen companies being told they have a going concern risk (especially after cyber attacks) because they don’t have tried and tested business-continuity programs in place and/or because they had no strategies around employee identity and access management or testing for and managing vulnerabilities to cybersecurity attacks.” He adds that this goes to the heart of the CFO’s job. “What CFO wants to have an independent expert report that goes externally or to their board of directors and says, ‘We found all these control deficiencies and weaknesses within this company on their watch’?”
But the biggest challenge when it comes to the CFO’s role is climbing the learning curve and then putting the math to it, Swinyard says. “The key is building the knowledge to be comfortable when making decisions on what’s acceptable financially. There is a fine balance that is hard to strike—you don’t want to leave yourself exposed because you’ve done too little or in financial distress because you’ve spent too much.” That’s particularly true for small and medium-sized businesses, he notes.
Whether CFOs are increasingly involved in cyber risk management because of potentially devastating exposure to cyberattacks (read: Equifax), the evolving regulatory and audit environment that’s driving changes in reporting and disclosure around the world, or the framework guidance emerging from the accounting bodies, one thing is clear: Companies will continue to look to their finance chiefs for broad-based leadership. The decade of the cyber CFO is truly here!
This is an excerpt from an article in Strategic Finance Magazine, "Cyber CFO: The Next Top Finance Job," published on April 1, 2018 by Ramona Dzinkowski. Click here to view the article in its entirety.