Four Ways Finance Leaders Strengthen Cybersecurity

Leading CFOs provide real-time answers and updates to these questions via the following practices:

• Benchmarking cybersecurity spending – CFOs can contribute significant value in helping CIOs and CISOs assess whether the company is allocating sufficient funds to mitigate cybersecurity risks. Leading finance executives benchmark the organisation’s data security and privacy investments – which, in most companies, comprise anywhere from 5% to 12% of the total IT budget – relative to industry peers and in consideration of the organisation’s type as well as the type of data (consumer, employee, etc.) it must protect. Since these percentages can vary greatly by industry and depending on the inherent risk given the nature of the business, it is crucial to calibrate this assessment properly.
• Evaluating investment allocations – Once the cybersecurity budget has been determined, leading CFOs work closely with CIOs and CISOs to determine whether these funds are being invested in the right combination of capabilities (e.g., data governance, identity and access management, incident response, cyber insurance) that deliver the highest returns on investment. More boards expect management to have a firm grasp on those allocations, which help determine whether the company is spending the right amount on the right processes given the magnitude of its cyber risk exposure
• Quantifying the dollar amount of cyber risk – Board members have grown dissatisfied with the three-tiered risk ranking system (e.g., red, yellow, green) information security professionals have traditionally used. The CFO’s dollars-and-cents mindset can deliver much more precision by assessing cyber risks via a quantitative versus judgmental approach so that both business value and risk value are measured in the same way. Leading cyber risk quantification approaches rely on existing models and probabilistic simulation methods to pinpoint the cyber risk confronting an organisation. This risk analysis involves a broader group of business users, asset owners and other professionals who may not have been included previously in cyber risk assessments.
• Expressing cyber risk in business terms – The output of cyber risk quantification exercises helps CFOs translate technical data security and privacy matters into business terms that resonate with board members, CEOs and stakeholders throughout the organisation. In their board and C-suite updates pertaining to cybersecurity, finance leaders should keep in mind that directors and CEOs expect concise answers to fundamental questions: How much would a breach cost us? Do we have enough cyber insurance? Are we doing enough to minimise risk? Are we spending enough, and are we spending on the right things? What’s the ROI of our cybersecurity spend

Interested in learning more? Further insights and our full report, Finance Priorities in the COVID Era: Digital Dominance and Flexible Labor Models, are available at www.protiviti.com/financesurvey.

Top 10 Overall Priorities – CFOs/VPs Finance*