Cybersecurity is a CFO issue
CFO: need to know
CFOs must lead on cybersecurity
Under cyber attack, EY’s 16th annual Global Information Security Survey, shows that cyber attacks around the world are increasing in volume and sophistication. Many organizations do not even know they are victims of cyber attacks.
The costs of these attacks to the organization – whether financial or reputational – can be staggering. For CFOs, information security needs to be a top priority in safeguarding their organization’s future.
EMEIA Cybersecurity - find out more
EMEIA Cybersecurity - find out more. [See a transcript of this video]
Threats are increasing. Of the 1,900 organizations around the world surveyed for this study, 59% cite an increase in external threats in the last year. However, more companies have been compromised than realize it.
Companies are doing more, but not enough. While 43% of respondents say their company has increased their budgets for information security, many information security professionals believe that they have insufficient resources to meet the threats they face.
The C-suite must be onboard. To build the capacity to tackle the increase of cyber threats, executives must support their information security teams. Together they can put the investment and strategy in place. Just 1 in 10 of the organizations we surveyed currently has monthly cybersecurity briefings to the board.
Many have not aligned cybersecurity to risk. Organizations need to align their cybersecurity strategy to their risk appetite and the overall risk environment. Sixty two percent we surveyed had not created this alignment.
Organizations should spend more on innovation. When it comes to cybersecurity, organizations need to spend less on operations and maintenance, and more on investigation and innovation. Currently, only 14% of cybersecurity spending goes on security innovation, despite the rapid evolution of hacking techniques.
New developments are going to mean new threats. If companies spend too much time and resources dealing with threats to their current technology, they may find themselves exposed when the next wave of technological change comes. New developments, such as big data and “bring your own cloud,” and those further off, such as “in-memory computing” and the “Internet of Things,” must be considered now.
Cyber threats are changing. Hackers are becoming more organized and sophisticated, and many recent cyber attacks have involved the electronic siphoning of funds. As well as posing a significant reputational risk, these kinds of attacks can invite greater regulatory scrutiny, which in turn increases organizational costs.
Cybersecurity must be a permanent focus. Cyber criminals are constantly changing their methods to take advantage of new technologies and new weaknesses in corporations. Companies can never completely fix cybersecurity . Organizations must continue to focus on it, and aim to recognize and counter threats before they appear.
Five steps for CFOs toward cybersecurity
There is no single solution to the problem of cyber risks. Here are some steps that CFOs can take to get their organization on the path to a secure future:
- Make cybersecurity a board-level issue
CFOs can get cybersecurity embedded in the company’s core risk processes. CFOs can reach across departments, to ensure that all stakeholders know what they most need to protect – and to ensure that the whole organization moves swiftly to counter new threats.
- Have a clearly defined strategy and involve all relevant stakeholders
CFOs need to identify all the stakeholders (both internal and external) whose activities could lead to an increase in vulnerability.
Internal stakeholders should know what they must protect. All external stakeholders should understand their responsibilities and liabilities.
- Make the right investments in projects and people
Getting the right people on board is a vital step to counter the threat of cyber attacks. Fifty percent of respondents to our most recent Global Information Security Survey reported that a lack of skilled people presented a barrier to value creation in cybersecurity.
CFOs need to invest enough, and in the right people, to build a team with the skills to innovate constantly in the changing information security landscape.
- Stay current on emerging threats, and change processes as needed
Businesses do not stand still, but neither does cyber crime. The rate and complexity of attacks is always increasing. This means that once an organization has got to grips with today’s threats, it needs to take steps to address the threats of the future.
- Measure and monitor performance regularly
Establishing the right metrics for cybersecurity is a job perfect for the CFO. CFOs need to make sure that their company’s priorities are protected, and that everyone is pulling together to make their business strong and resistant to cyber threats.
CFOs need to find answers to some questions:
- Are the same incidents occurring repeatedly?
- How quickly are we detecting incidents?
- What training, technology and controls are in place to ensure that incidents do not happen again?
Q&A on cybersecurity with Ken Allan
The threat of a cyber attack on an organization is real and can seriously compromise a company’s future growth and profitability. In our annual Global Information Security Survey, we found that 59% of organizations reported a rise in external threats in the last year.
Ken Allan, EY’s Global Information Security Leader, believes it’s vital for companies to recognize that cybersecurity is a board-level issue and tells us why he thinks the CFO is best placed to protect a company from future breaches.
Q&A on cybersecurity with Ken Allan
Q&A on cybersecurity with Ken Allan. [See a transcript of this video]