How to Engage CFOs in Information Security Programs

Business information security is a major financial risk. It’s crucial for finance executives to factor information security considerations into risk-mitigation controls to obtain a complete picture of all the potential risks your organization faces.

Below, explore the benefits of an information security program, what a strong program looks like, and ways you can assess and validate existing controls to develop and improve your organization’s security framework. First, to stress the importance of improving security, there’s a quick reminder of how costly a data breach could be for your organization.

What Are the Financial Consequences of a Data Breach?

Data breaches happen more frequently in today’s business landscape—and they’re expensive. 30% of major security incidents result in damages between $100,000 to $500,000 according to the 2020 Insider Threat Report from Cybersecurity Insiders. Business email compromise scams alone have results in over 166,000 incidents around the world and $26 billion in loss since 2013, according to the 2020 Trustwave Global Security Report.

Recovery costs can exceed estimates very quickly. Information security should be considered a high-level risk because of its financial implications; it can directly affect an organization’s bottom line.

Beyond direct financial loss, other potential financial consequences include:

  • Reputation damage
  • Intellectual property theft
  • Regulatory fines

Cybersecurity insurance may be able to help you recoup direct financial loss, but it won’t protect against intellectual property losses or a hit to your organization’s reputation.

What Is an Information Security Program?

An information security programs supports an organization’s technology framework by protecting IT assets, data, and business processes.

What Are the Steps of the Information Security Program Lifecycle?

Financial executives regularly decide which risk mitigation controls to implement based on risk trade-offs and regulatory pressures using a risk management framework.

This framework includes:

  • Identifying the risk
  • Measuring and assessing it
  • Mitigation
  • Reporting and monitoring
  • Governance

When you tailor your current risk management framework to information security, it will also include more detailed and nuanced steps such as:

  • Performing audits and assessments
  • Establishing policies and procedures—testing recovery procedures, for example
  • Conducting penetration testing 

Why Is It Important for Finance and Technology Teams to Collaborate?

Senior management’s commitment to robust internal controls is the top factor to a strong control environment. However, developing a cohesive, inclusive approach to cybersecurity can’t happen if finance executives aren’t working closely with their technology team. As you’re aligning your cybersecurity and corporate strategies, consider implementing a top-down approach.

Finance executives should become familiar with the language of the technology team, so they can spot potential financial risks faster.

It’s important the technology team understands information security isn’t just a technology function; it’s a risk management function as well. They should receive help interpreting finance priorities, risks, and business drivers from finance executives.

Sharing expectations and concerns can help open up lines of communication between teams and lead to a more robust information security program.

What Steps Can You Take to Encourage Collaboration Between Finance and Technology Teams?

Below are some steps finance executives and technology teams can take to strengthen the effects of your organization’s information security program:

  • Establish policies and procedures
  • Perform risk assessments
  • Conduct audits and penetration testing 

Establish Policies and Procedures

Unlike most functions within an organization, every individual in an organization has a direct relationship with your information security program. Hackers will focus on finding the weakest link to exploit, and organizations became particularly vulnerable in the remote work environment during COVID-19.

It’s important to develop strong policies and procedures—especially disaster recovery procedures—to ensure every member of your organization knows their role and can work to minimize the risk of a cyberattack.

For more details, please see COVID-19 Can Lead to Cybersecurity Risks—Protect Your Organization and a Cybersecurity Checklist for Remote Work.

Perform Risk Assessments

Defensive measures need to be regularly assessed because attacks continuously evolve in sophistication. This is important to keep in mind as your organization examines new risks that have arisen during the COVID-19 pandemic.

Assessments provide a baseline status of your current information security program, so you know where to start when you’re creating a roadmap of next steps.

Assessments should:  

  • Identify the assets you’re protecting
  • Measure security methods
  • Mitigate risks to valuable assets
  • Report and monitor effectiveness of security measures
  • Ensure proper governance is taken

Get the assessments you need to help develop the plan and evaluate the risks based on those with the highest impact and highest likelihood of becoming a data breach.

For more details, please see our articles How to Identify Common Cybersecurity Threats and Protect Your Organization and 5 Tips to Protect Your Company from Data Breaches.

Conduct Audits and Penetration Testing

Management should conduct periodic audits and penetration testing to validate if policies and procedures are followed and perceived controls are effective. 

Penetration testing—also known as ethical hacking—is a pre-emptive step to identify the weak points in your network and systems before hackers do. The process is a form of essentially hacking, but performed ethically by a specialist—someone on your side.

This testing serves as a quality assurance step after changes are made to networks or systems to check if any vulnerabilities could be exploited and result in a security breach.

For more details, please see our articles Stay Ahead of Cybersecurity Breaches and Off the Media’s Radar and Help Protect Customer Information with Security Code Review.

We’re Here to Help

To learn more about how you can improve your information security program, or how finance executives can become more involved in this process, please contact your Moss Adams professional.