How to Engage Finance Executives in Information Security Programs

Business information security is a major financial risk. It’s crucial for finance executives to factor information security considerations into risk-mitigation controls to obtain a complete picture of all the potential risks your organization faces.

Below, explore how you can assess and validate existing controls to develop and improve your organization’s information security program.

Financial Consequences

Information security should be considered a high-level risk because of its financial implications; it can directly affect an organization’s bottom line. Data breaches happen more frequently in today’s business landscape—and they’re expensive. Recovery costs can exceed estimates very quickly.

Beyond direct financial loss, other potential financial consequences include:

  • Reputation damage
  • Intellectual property theft
  • Regulatory fines

Cybersecurity insurance may be able to help you recoup direct financial loss, but it won’t protect against intellectual property losses or a hit to your organization’s reputation.

Open Communication

Financial executives regularly decide which risk mitigation controls to implement based on risk trade-offs and regulatory pressures using a risk management framework.

This framework includes:

  • Identifying the risk
  • Measuring and assessing it
  • Mitigation
  • Reporting and monitoring
  • Governance

When you tailor your current risk management framework to information security, it will also include more detailed and nuanced steps such as:

  • Performing audits and assessments
  • Establishing policies and procedures—testing recovery procedures, for example
  • Conducting penetration testing

However, developing a cohesive, inclusive approach to cybersecurity can’t happen if finance executives aren’t working closely with their technology team.

Collaboration Between Finance and Technology Teams

Senior management’s commitment to robust internal controls is the top factor to a strong control environment. As you’re aligning your cybersecurity and corporate strategies, consider implementing a top-down approach.

Finance executives should become familiar with the language of the technology team, so they can spot potential financial risks faster.

It’s important the technology team understands information security isn’t just a technology function; it’s a risk management function as well. They should receive help interpreting finance priorities, risks, and business drivers from finance executives.

Sharing expectations and concerns can help open up lines of communication between teams and lead to a more robust information security program.

Next Steps

Below are some steps finance executives and technology teams can take to strengthen the effects of your organization’s information security program.

Establish Policies and Procedures

Unlike most functions within an organization, every individual in an organization has a direct relationship with your information security program. Cyberattackers will focus on finding the weakest link to exploit, and organizations have become particularly vulnerable in the remote work environment caused by COVID-19.

It’s important to develop strong policies and procedures—especially testing recovery procedures—to ensure every member of your organization knows their role and can work to minimize the risk of a cyberattack.

For more details, please see COVID-19 Can Lead to Cybersecurity Risks—Protect Your Organization and a Cybersecurity Checklist for Remote Work.

Perform Risk Assessments

Defensive measures need to be regularly assessed because attacks continuously evolve in sophistication. This is important to keep in mind as your organization examines new risks that have arisen during the COVID-19 pandemic.

Assessments provide a baseline status of your current information security program, so you know where to start when you’re creating a roadmap of next steps.

Assessments should:  

  • Identify the assets you’re protecting
  • Measure security methods
  • Mitigate risks to valuable assets
  • Report and monitor effectiveness of security measures
  • Ensure proper governance is taken

Get the assessments you need to help develop the plan and evaluate the risks based on those with the highest impact and highest likelihood of becoming a data breach.

For more details, please see our articles How to Identify Common Cybersecurity Threats and Protect Your Organization and 5 Tips to Protect Your Company from Data Breaches.

Conduct Audits and Penetration Testing

Management should conduct periodic audits and penetration testing to validate if policies and procedures are followed and perceived controls are effective. 

Penetration testing—also known as ethical hacking—is a pre-emptive step to identify the weak points in your network and systems before hackers do. The process is a form of essentially hacking, but performed ethically by a specialist—someone on your side.

This testing serves as a quality assurance step after changes are made to networks or systems to check if any vulnerabilities could be exploited and result in a security breach.

For more details, please see our articles Stay Ahead of Cybersecurity Breaches and Off the Media’s Radar and Help Protect Customer Information with Security Code Review.

We’re Here to Help

To learn more about how you can improve your information security program, or how finance executives can become more involved in this process, please contact your Moss Adams professional.

Note on COVID-19

During this unparalleled time, we’re closely monitoring the COVID-19 situation as it evolves so we can provide up-to-date guidance and support to help you combat uncertainty. For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: