© 2020 Content Security Pty Ltd.

role of the CFO

The role of the CFO in cyber security: actively bolstering cyber resilience

Cyber security has been historically considered the IT security team’s domain. However, with enterprise operations so heavily reliant on technology and cyberspace to stay competitive and optimise productivity, cyber security is now a top priority for any business’ CFO.


Cyber security is a whole-of-business issue 

Both executives and staff have been called upon to actively adopt and participate in corporate cyber security strategy. Of all C-suite figures, Chief Financial Officers (CFO) are arguably the most responsible for enforcing cyber security throughout a business. They have a burgeoning role to play in the widespread acceptance of this strategy, with a distinct responsibility to portray cyber security as a continual investment. Concerned with financial risk and protecting their business’ reputation, the role of the CFO has changed to prioritise cyber security as a means of brand protection and business continuity.

Why is this the case?

The increasing frequency, growing sophistication and crippling costs of cyber-attacks have prompted a necessary shift in the way cyber security is thought about and enacted in the corporate world. Today, it is not only a concern limited to information technology (IT) security teams – it is a sweeping and essential responsibility for executives and staff alike.

Cyber security is a continual undertaking for every individual; unfortunately, the modern cyber battlefield is only expanding. The constant desire for business innovation brings about inevitable and unceasing risk. The wide adoption of cloud computing in conjunction with the growing need for constant connectivity has also created a plethora of access points for cybercriminals to exploit.

While digital transformation and technological integrations promise streamlined functioning and gains in profit and productivity, we can not lose sight of the great risks they pose – in particular, the massive financial repercussions alongside the operational, reputational and compliance costs of increased cyber exposure and breaches. 

How is the role of the CFO changing in respect to today’s threat landscape?

CFOs are called to adopt a dual role as they take the lead in navigating their organisation’s digital transformation journey. They are not only at the forefront of driving strategic performance but are concerned with managing financial risk.

The role of the CFO is to oversee and manage some of the most critically sensitive and increasingly sought after information held within the organisation. They have a clear picture of where sensitive information is stored, overseeing how it is secured and who has access to it. Furthermore, the global cost of a data breach is approximately $5.5 million AUD. Now, more than ever, CFOs are responsible for protecting customer and company confidential data from costly breaches. 

CFO’s are responsible for some of the most critically sensitive and increasingly sought after information held within the organisation.

Taking their unique perspective into consideration, CFOs have a major role to play in strengthening their organisation’s cyber security strategy and uplifting security posture. As some of the key leaders within a company, they have a duty to protect the organisation’s reputation and livelihood by actively bolstering cyber-resilience from the top-down.

How can CFO’s take a proactive lead in cybersecurity?

Cyber security incidents are inevitable and at some point, your organisation is likely to be compromised. While this is unfortunate, it is a reality that must be proactively prepared for if your organisation is to withstand attack. In order to mitigate the cost of a breach and save your organisation from debilitating effects, be sure to:

1. Make an active effort to stay updated on cyber risk

Businesses are not only defending against known risks, therefore cyber resilience relies on anticipatory action . In order to properly protect your information you need to know:

  • The risks your organisation is susceptible to;
  • The variety of attack vectors cybercriminals are using;
  • What kinds of information they are after; and 
  • How to respond to specific threats. 

With new vulnerabilities emerging daily, you must strive to stay on top of them and stress the importance of proactive detection.

2. Take inventory of all assets and prioritise risk-management 

It is essential to capture a complete picture of your systems and gain visibility over all assets. You will be better equipped to prioritise your risk management when you take inventory of your network, data and systems, and moreover, understand how your organisation’s information supply chain operates.

Note: Understand that everything cannot be protected equally and not everything should be protected equally. This mindset will help you make positive changes where they are truly needed.

3. Assess third party risk

The security of your data extends beyond the confines of your organisation and internal staff. Some of the greatest risk is posed by the ways that third party vendors and partners handle your information. It is recommended that you regularly assess third party risk and ensure their information security strategy is not putting your data at risk.

4. Ensure you are collaborating with experts for the best results 

Driving technological and digital integrations requires a collaborative approach between your IT security team and information security specialists. Balancing innovation with security requires the appropriate levels of both expertise and complexity – a combination that can only be acquired with the help of professionals.

5. Build cyber security awareness into workplace culture 

Security awareness is a key mitigating factor in the event of a breach. It can minimise the frequency of internal incidents and reduce human vulnerabilities that hackers often exploit. The role of the CFO is to set the directive for awareness. By merely displaying dedication to cyber security and championing a security-aware mindset, CFOs can ensure that educational programs are well-received and sustained.

6. Form an Incident Response (IR) team and plan 

An IR plan outlines how the organisation will respond in the event of a breach or other security incident. It facilitates clear decision-making and defines accountability in the midst of mayhem, minimising downtime and financial damages incurred. CFOs, along with other executive figures, should know their roles throughout the entire response process and encourage regular practice of playbooks to improve response in specific cases.

7. Carry out regular vulnerability assessments and penetration testing 

Automated vulnerability scanning and regular penetration tests are key to staying on top of threat and closing gaps before hackers can exploit them. Automated vulnerability assessments are a great tool for empowering businesses to proactively look for risk. However, penetration tests deliver the added benefit of industry expertise. Ethical hackers will gauge the security of your environment and provide you with recommendations for improvement.

Cyber security is here to stay. Remember, it requires a dynamic approach.

It is important to note that as the industry changes and the threat landscape continues to evolve, the role of all the CFO and other C-suite members will too. Staying on top of threats to your enterprise relies on awareness and a proactive approach. This means that CFOs should be determined to change and adapt to the security challenges thrown at them and motivate staff and other executives to follow in suit.

For more information please contact our cybersecurity professionals today.

Recent news