The APQC Blog

Cybersecurity, Blame IT at Your Peril

It is easy to think of cybersecurity as the domain of IT, but with the number of electronic and networked devices needed for day-to-day business tasks multiplying, that is an old way of thinking. Cybersecurity is everyone’s job and a failure to prepare hurts the organization’s bottom line. CFO’s can play an important role in this by taking on a stronger leadership role in preparing for cyber incidents.

A recent article by CFO Magazine indicated that CFOs are starting to get the hint and take on broader duties with their organizations’ cybersecurity operations. In the article, 42 percent of CFOs surveyed indicated they are owner or co-owner of their organization’s cybersecurity. A higher number, 66 percent of surveyed CFOs, indicated that they understand information security issues and can translate topics to board members.

In contrast, the same article indicated that executive level finance personnel do not completely understand the complex nature of cyber security. One of the most telling aspects is that a number of CFOs indicted their organization did not experience a data breach in the past year. Given that most data breaches take anywhere from several months to a year to detect, it is much more likely every CFO surveyed worked at an organization with at least one data breach they were unaware of.

Given the time needed to detect a data breach and the ever evolving nature of cyberattacks, organizations need to take detection and response much more seriously. Not all cyber-attacks are blatantly obvious incidents. Some are designed to set up a back door for use later while others are designed to come into effect after a period of time like a ticking time bomb. A growing number of cyberattacks are now state sponsored and are undertaken by individuals or groups with state-of-the-art equipment and excellent funding, perhaps on par with a targeted organization depending on the country of origin. A cybersecurity budget heavily tilted towards prevention is not the best strategy for an organization and shifts focus away from existing problems.

If organizations want to take cybersecurity seriously, they need well thought out response and damage assessment plans. Response plans need to factor in such items as legal liability, reputation risk, and employee reactions. This is especially true if a large number of customer or employee’s personal information is stolen. Damage assessment plans needs to look beyond business interruptions and financial loss to customer impact and resulting lost business. Retail outlets can be particularly hard hit by a poor response if there is a large, negative media backlash.  

Despite the high tech nature of cybersecurity, all divisions within the organization need to understand it. Personal data breeches, stolen plans for a new product, or a denial of service attack stopping customers from ordering online are all things a CFO and the rest of the board care about. 

Follow me on Twitter @MCappelli_APQC or find me on LinkedIn.

Stay up to date with our upcoming financial management process improvement research, webinars, and more by visiting our expertise page.