Our interviews with CFOs from SMEs to multinationals have revealed four key ways of approaching cybersecurity.
• If today’s CFO wants to fulfil his or her role, there is a need to knowing filter the critical and confidential data as well as priorities the company’s protection.
• The CFO should be familiar with IT security issues and ideally within the framework of multiple legal systems
• Training personnel of the risks associated with cyberattacks and prevention measures is fast-becoming a priority of every CFO
Click below on the Pilot, Scientist, Coach and Engineer to reveal an insight from one of our interviewees on different approaches to this challenge.
Cyberattacks occur more than a million times a day. Most attacks are not successful, and few have the devastating effect of Wannacry, the well-documented ransomware that infected millions of computers across 150 countries last year. But the smaller attacks can still have a significant impact on business infrastructure and naturally, the costs run high.
CFOs are aware they have important role to play in addressing this challenge: “Cybersecurity is very high on the agenda,” explains CFO of investment bank Morgan Stanley. “It’s not just a matter of putting a security patch and then you’re good for the next 15 years; it takes constant vigilance and review of your performance.”
But the question remains: what particular role the CFO should play in the process?
Prioritise protection needs
Most CFOs that participated in the study agree that a solid understanding of data management is key. If today’s CFO wants to fulfil his or her role, there is a need to knowing filter the critical and confidential data as well as prioritise the company’s protection.
“The ability to really understand what you can do with data specialists, and to strategically think about what you’re going to do with big data in finance is very important,” says Philippe de Briey, CFO with the multinational biotech company Monsanto.
As the number of data breaches accumulate, CFOs need to be proactive and continuously partner with IT experts. The continued exposure means that it’s increasingly important for a CFO to be tech savvy.
As Andrea Wesson, CFO of the railway company Eversholt Rail explains: “I am personally responsible for ensuring the cybersecurity and data security systems of our suppliers are adequate.” From the perspective of a Scientist, the CFO should be familiar with IT security issues and ideally within the framework of multiple legal systems.
People are the biggest risk
That is, however, just one part of the of the CFOs role to ensure data protection. Usually the biggest risk is not the IT system itself – but the way employees use it. “Regardless of the quantity of firewalls or passwords, a misconduct by anybody from the group can risk everything that we are trying to protect with those tools,” says Thiago Oliveira, CFO of real estate company JHSF.
In an approach that embodies an Engineer, Oliviera cannot over-emphasise the importance of smooth-running systems that are fully adopted by employees: “People’s compliance on system procedures is very important to keep information safe and reduce the risks of cyberattacks.”
In the mode of a Coach, training personnel of the risks associated with cyberattacks and prevention measures is fast-becoming a priority of every CFO.
“We have to educate our own people to be watchful,” says Bob Braasch, CFO of the investment bank Marathon Capital, “because the threats that could have an adverse effect on us will start with somebody accidentally sending a virus on a document and trying to access our system that way. Education at the individual level is really where the game starts.”
How to safeguard privacy
A growing number of organisations are monitoring their employees’ use of data to enhance cybersecurity, but that comes at a cost - and not necessarily a financial one.
“I think the biggest challenge for most companies is how to respect the privacy when everybody is being tracked 100% of the time. I wake up every morning with this question my mind,” explains Oliveira.
It takes the solution-oriented capacities of the Pilot to find an adequate solution, without necessarily getting into the operational detail. The balance is delicate but necessary: “It’s pretty easy for someone to send an e-mail containing our company’s compensation data, " explains Eugene Low, CFO with global consultancy Mercer, "but I have faith in my IT team, my compliance team, that they’re on top of it. And from what that I see, the situation is under control. I cannot get into the details of it. As a CFO, you have to pick your battles.”
There is speculation that the challenge of cyber security will eventually become too great for the CFO's team alone. As David List, CFO of the online currency exchange company Conotoxia remarked: “I wouldn't be surprised if in the future will lead to a new role for the executive board. At some stage, the Cybersecurity Officer will enter the boardroom."
- As finance is one of the most vulnerable areas for malicious attacks, CFOs need to get involved in managing cybersecurity
- CFOs have to be familiar with IT security issues, ideally within the framework of many various legal systems
- CFOs need to educate the people in the company to make sure they are compliant
- The challenge of cybersecurity will possibly be become so complicated that it will lead to the birth of new role in the boardroom