Karl DiMascio, VP of Sales and Marketing at Auriga, looks at how the CFO can implement cyber security effectively through integrated Government, Risk and Compliance (GRC)
Cyber security is now firmly on the agenda for Chief Financial Officers (CFOs) but this takes many into new unfamiliar territory. In previous years, resource was devoted to the shifting sands of regulatory reform but now the emphasis is on achieving a state of cyber readiness which requires new skill sets and the application of controls in a non-disruptive manner. Consequently, the role of the CFO is now overlapping that of the CIO or CISO and CFOs are having to get to grips with the threat to the business and where to invest resource.
The urgency of the situation was recently exposed by Waking Shark II , a three day simulated exercise organised by the Bank of England, the Treasury and the Financial Conduct Authority which revealed the soft underbelly of the sector. An onslaught of Distributed Denial of Service (DDoS), Advanced Persistent Threats (APTs) and PC wipe attacks exposed a lack of coordinated response and confusion over reporting procedures. Consequently, the Bank of England announced this week its intention to test threat responses by repeating the penetration testing exercise across twenty financial institutions later this year.
Waking Shark II provided the proof, if any were needed, that the call to arms issued by the ICAEW is well founded. The ICAEW has repeatedly said that the financial sector needs to address the cyber threat, drawing attention to the wealth of material at the disposal of financial institutions and the need to limit the exposure of sensitive data during financial transactions, for instance. The key message from the ICAEW is that cyber security should not be seen as a bolt-on but part of the way we do business. There is much that should be familiar to the CFO: Risk is part of doing business and cyber risk is just another type of risk that must be managed albeit within the context of an information risk management framework.
Part of the problem is that cyber security is traditionally regarded as being an IT issue, when it should be regarded as a strategic initiative. While it is important to ensure appropriate technical controls are used, quite often solutions are deployed without a good understanding of the real business risk and what really needs protecting and how. Cyber security is most effective if driven by the business and implemented top-down.
In it’s ‘10 Steps to Cybersecurity’ CESG advises implementing an Information Risk Regime in this way which uses the risk appetite of the business to determine levels of risk that can be tolerated. The cyber risk pain threshold for each organisation will vary, so this needs to be assessed rigorously, and the risk appetite communicated across the business to ensure engagement. Of course risk will fluctuate, so threats need to be monitored on a regular basis and recorded in a risk register with the board kept informed to ensure buy-in. A company-wide corporate security policy and information risk management policy will also ensure that risk management becomes ‘business as usual’ for staff and part of data management, from the cradle to the grave.
Yet where the CFO can add value is by overlaying the information risk management framework over other processes to create economies of scale. The framework should form an integral part of Government, Risk and Compliance (GRC) which is then aligned with business operational processes. By overlaying GRC onto the business, it then becomes possible to create efficiencies through shared resource, deduplication and reduced operating costs.
However, finding the staff to assess and implement such programmes is no mean feat. A recent survey by recruitment specialists Robert Half revealed that 52 per cent of financial managers intend to devote spend to cyber security this year with 39 per cent expecting to hire employees with expertise in this area. The same survey last year found 90 per cent of respondents were struggling to find skilled staff, suggesting there may not be enough cyber-savvy employees to go round. One solution may be to consider whole or part outsourcing such expertise. Outsourcing ensures the CFO has access to specialists with current knowledge of existing and emerging cyber threats.
The cyber threat is not about to diminish. But it does present the CFO with a golden opportunity to steer investment, integrate GRC and realise benefits for the business, from greater efficiency to an engaged workforce to a more resilient, productive business.