The growing sophistication of cyber-attacks has made it clear that even corporations with savvy prevention and protection systems are vulnerable. Cyber security is not just an IT issue but instead a cross-functional concern for the digital enterprise that requires attentive executive- and board-level surveillance. It also requires the involvement of key functions, particularly finance and enterprise risk management (ERM). With most CFOs taking on day-to-day supervision of ERM process owners, the CFO should make sure this concern is not relegated to perfunctory quarterly reporting by the IT team.
The involvement of key functions beyond IT is important in addressing cyber security because the ramifications of hacking can be immense. CFOs, along with any senior manager of a finance process, are responsible for safeguarding mission-critical activities such as managing liquidity, accounting, and statutory reporting. And chief risk officers clearly bear a significant responsibility for expanding the organizational awareness of cyber risk. Such decision makers need to ask:
- Are cyber threats designated as strategic risks and subject to formal ERM process treatment?
- What mitigation and audit policies are in place and how do they stay current with the quickly evolving nature of cyber security risks?
- How are those policies enforced?
- How are we addressing violations?
- How are our network dynamics changing right now?
- How do we assess the security risks of our partners, supply chain, and prospective acquisitions?
- How resilient is each financial process in the event of a cyber-attack?
The work triggered to answer such questions not only affects IT and network operational concerns but also puts functional decisions in a strategic context. Everything is connected, and a corporation’s cyber risk management model is no better than its weakest element. I discussed this topic recently with Ray Rothrock at RedSeal. Check out Managing Cyber Security Risk in Corporate Networks to read our discussion on digital resiliency and how decision makers can approach security protection.