As CEOs and boards become more informed about the extreme threats that cybersecurity lapses pose, their expectations are growing. CFOs’ expanding contributions to fortifying organizational data security, the highest priority identified in Protiviti’s latest Global Finance Trends Survey, play a pivotal role in satisfying those high expectations. Board members demand coherent, relevant and timely updates from their organizations’ CIOs and CISOs on the state of data security and privacy capabilities, as well as clear insights from CFOs on cybersecurity investments: Are we protected? Are we spending enough? Are we investing wisely? How do we know?
Leading CFOs provide real-time answers and updates to these questions via the following practices:
- Benchmarking cybersecurity spending – CFOs can contribute significant value in helping CIOs and CISOs assess whether the company is allocating sufficient funds to mitigate cybersecurity risks. Leading finance executives benchmark the organization’s data security and privacy investments – which, in most companies, comprise anywhere from 5% to 12% of the total IT budget – relative to industry peers and in consideration of the organization’s type as well as the type of data (consumer, employee, etc.) it must protect. Since these percentages can vary greatly by industry and depending on the inherent risk given the nature of the business, it is crucial to calibrate this assessment properly.
- Evaluating investment allocations – Once the cybersecurity budget has been determined, leading CFOs work closely with CIOs and CISOs to determine whether these funds are being invested in the right combination of capabilities (e.g., data governance, identity and access management, incident response, cyber insurance) that deliver the highest returns on investment. More boards expect management to have a firm grasp on those allocations, which help determine whether the company is spending the right amount on the right processes given the magnitude of its cyber risk exposure
- Quantifying the dollar amount of cyber risk – Board members have grown dissatisfied with the three-tiered risk ranking system (e.g., red, yellow, green) information security professionals have traditionally used. The CFO’s dollars-and-cents mindset can deliver much more precision by assessing cyber risks via a quantitative versus judgmental approach so that both business value and risk value are measured in the same way. Leading cyber risk quantification approaches rely on existing models and probabilistic simulation methods to pinpoint the cyber risk confronting an organization. This risk analysis involves a broader group of business users, asset owners and other professionals who may not have been included previously in cyber risk assessments.
- Expressing cyber risk in business terms – The output of cyber risk quantification exercises helps CFOs translate technical data security and privacy matters into business terms that resonate with board members, CEOs and stakeholders throughout the organization. In their board and C-suite updates pertaining to cybersecurity, finance leaders should keep in mind that directors and CEOs expect concise answers to fundamental questions: How much would a breach cost us? Do we have enough cyber insurance? Are we doing enough to minimize risk? Are we spending enough, and are we spending on the right things? What’s the ROI of our cybersecurity spend?
Interested in learning more? Further insights and our full report, Finance Priorities in the COVID Era: Digital Dominance and Flexible Labor Models, are available at www.protiviti.com/financesurvey.
Top 10 Overall Priorities – CFOs/VPs Finance*