The Role of the CFO in Cyber Security
Join today and start learning
TFD is the learning platform built for finance professionals.
This content is available as part of our bitesized video series.
Watch this video today by joining our free community.
Join today and start learning
TFD is the learning platform built for finance professionals.
This content is available as part of our bitesized video series.
Watch this video today by joining our free community.
The Role of the CFO in Cyber Security
Video information:
In this video, Sean discusses the important role of the modern-day CFO in cyber security.
Hello, I’m Sean Huggett. I’m one of the directors at Evalian. We’re an information security, data protection, and business continuity services provider. And in this video, I’m going to talk about the role of a CFO in cyber security.
The Chief Financial Officer is increasingly becoming the individual with board-level accountability for cyber security in their business. Now, that might sound strange given that cyber security is often associated with individuals who have detailed computing knowledge and who understand alien concepts like threat actors and attack vectors. But at its core, cyber security accountability is about business risk management. And that’s a concept that any Chief Financial Officer is going to be very familiar with.
Five or more years ago, it would have been unusual to see cyber risk on an enterprise risk register, or listed as a key risk in an annual report. In smaller organisations, cyber risk is long being an afterthought when compared to concerns such as financial risk, competitive pressures, and even staffing issues.
Now, though, cybersecurity risk should be in the minds of all business executives. Unlike with other types of risk, the Chief Financial Officer can expect to be responsible for ensuring that the cyber risks facing their organisation are suitably mitigated and that the compensating controls introduced to manage them do not disproportionately affect business opportunity. These are business considerations, not technical ones, and this is why the Chief Financial Officer is increasingly becoming the person to own them. And being a CFO, the types of risks you’re used to managing will be the same risks that you’ll manage when dealing with cyber. For example, a cyber breach can lead to financial impacts, reputational damage, business interruption, and, of course, regulatory action.
As CFO, you’re going to want to have a view of the potential cyber threats faced by your company and the vulnerabilities that could be exploited by threat actors in order to truly understand what your risk profile looks like. Now this isn’t as challenging as it sounds, because many of the threats that you face will be shared with most other organisations, for example, ransomware. But the vulnerabilities applicable to your organisation will be unique to your business. It’s therefore important as a CFO, that you understand what these vulnerabilities look like. So for example, do you have systems, business critical systems that are connected to the internet, which have not been updated with the latest security releases, because these are the types of known vulnerabilities that make your organisation more susceptible to a successful attack. Armed with knowledge about your vulnerabilities and based on input from your internal or external security subject matter experts, you can then start to take a view on how you manage the risks. Cyber security risk management, like any other risk management discipline, is ultimately about finding the right balance. You can’t eradicate all cyber risk, and frankly, you won’t have an unlimited budget for the cyber controls that you could put in place to manage the risks you face. So your role is going to be to understand what the highest impact risks are and what the steps are that could be taken to mitigate them and reduce them to a more tolerable level.
Now even then, you’re not going to have the time or money to take all of the steps that you’d like to take. So it’s going be important to scrutinize and critique the strategy, as well as the third-party products and services that you could choose when thinking about managing security to ensure that they provide the very best return on your investment in the context of your risks and the budget that you have available.
In truth, this is going to be a balancing act, and some difficult decisions may need to be made. But these are the very skills that you as a Chief Financial Officer will be using across all aspects of your business on a continuous basis. And this is one of the reasons why your role is ideally placed to be accountable for cyber risk.
In summary then, the role of the CFO in cyber security is probably more familiar than you might think. It’s about understanding the risks, prioritizing them and acting as a critical friend to those people who have responsibility for mitigating them in your business. This includes ensuring that your policies, your technologies, and your services that you’re consuming from others to address cyber security risks are focused on those with the highest impact and making sure that plans are in place to support remediation business recovery following a cyber breach.
Founder and Managing Director for Evalian
Sean specialises in data protection, information risk and information security consulting. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in governance, risk and compliance with a focus on privacy and security. Sean is also Managing Director at Evalian®.
His qualifications include IAPP CIPP-E, CIPT, GDPR Practitioner Certificate, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor and CISMP.
Video information:
In this video, Sean discusses the important role of the modern-day CFO in cyber security.
Hello, I’m Sean Huggett. I’m one of the directors at Evalian. We’re an information security, data protection, and business continuity services provider. And in this video, I’m going to talk about the role of a CFO in cyber security.
The Chief Financial Officer is increasingly becoming the individual with board-level accountability for cyber security in their business. Now, that might sound strange given that cyber security is often associated with individuals who have detailed computing knowledge and who understand alien concepts like threat actors and attack vectors. But at its core, cyber security accountability is about business risk management. And that’s a concept that any Chief Financial Officer is going to be very familiar with.
Five or more years ago, it would have been unusual to see cyber risk on an enterprise risk register, or listed as a key risk in an annual report. In smaller organisations, cyber risk is long being an afterthought when compared to concerns such as financial risk, competitive pressures, and even staffing issues.
Now, though, cybersecurity risk should be in the minds of all business executives. Unlike with other types of risk, the Chief Financial Officer can expect to be responsible for ensuring that the cyber risks facing their organisation are suitably mitigated and that the compensating controls introduced to manage them do not disproportionately affect business opportunity. These are business considerations, not technical ones, and this is why the Chief Financial Officer is increasingly becoming the person to own them. And being a CFO, the types of risks you’re used to managing will be the same risks that you’ll manage when dealing with cyber. For example, a cyber breach can lead to financial impacts, reputational damage, business interruption, and, of course, regulatory action.
As CFO, you’re going to want to have a view of the potential cyber threats faced by your company and the vulnerabilities that could be exploited by threat actors in order to truly understand what your risk profile looks like. Now this isn’t as challenging as it sounds, because many of the threats that you face will be shared with most other organisations, for example, ransomware. But the vulnerabilities applicable to your organisation will be unique to your business. It’s therefore important as a CFO, that you understand what these vulnerabilities look like. So for example, do you have systems, business critical systems that are connected to the internet, which have not been updated with the latest security releases, because these are the types of known vulnerabilities that make your organisation more susceptible to a successful attack. Armed with knowledge about your vulnerabilities and based on input from your internal or external security subject matter experts, you can then start to take a view on how you manage the risks. Cyber security risk management, like any other risk management discipline, is ultimately about finding the right balance. You can’t eradicate all cyber risk, and frankly, you won’t have an unlimited budget for the cyber controls that you could put in place to manage the risks you face. So your role is going to be to understand what the highest impact risks are and what the steps are that could be taken to mitigate them and reduce them to a more tolerable level.
Now even then, you’re not going to have the time or money to take all of the steps that you’d like to take. So it’s going be important to scrutinize and critique the strategy, as well as the third-party products and services that you could choose when thinking about managing security to ensure that they provide the very best return on your investment in the context of your risks and the budget that you have available.
In truth, this is going to be a balancing act, and some difficult decisions may need to be made. But these are the very skills that you as a Chief Financial Officer will be using across all aspects of your business on a continuous basis. And this is one of the reasons why your role is ideally placed to be accountable for cyber risk.
In summary then, the role of the CFO in cyber security is probably more familiar than you might think. It’s about understanding the risks, prioritizing them and acting as a critical friend to those people who have responsibility for mitigating them in your business. This includes ensuring that your policies, your technologies, and your services that you’re consuming from others to address cyber security risks are focused on those with the highest impact and making sure that plans are in place to support remediation business recovery following a cyber breach.
Founder and Managing Director for Evalian
Sean specialises in data protection, information risk and information security consulting. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in governance, risk and compliance with a focus on privacy and security. Sean is also Managing Director at Evalian®.
His qualifications include IAPP CIPP-E, CIPT, GDPR Practitioner Certificate, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor and CISMP.
Video information:
In this video, Sean discusses the important role of the modern-day CFO in cyber security.
Hello, I’m Sean Huggett. I’m one of the directors at Evalian. We’re an information security, data protection, and business continuity services provider. And in this video, I’m going to talk about the role of a CFO in cyber security.
The Chief Financial Officer is increasingly becoming the individual with board-level accountability for cyber security in their business. Now, that might sound strange given that cyber security is often associated with individuals who have detailed computing knowledge and who understand alien concepts like threat actors and attack vectors. But at its core, cyber security accountability is about business risk management. And that’s a concept that any Chief Financial Officer is going to be very familiar with.
Five or more years ago, it would have been unusual to see cyber risk on an enterprise risk register, or listed as a key risk in an annual report. In smaller organisations, cyber risk is long being an afterthought when compared to concerns such as financial risk, competitive pressures, and even staffing issues.
Now, though, cybersecurity risk should be in the minds of all business executives. Unlike with other types of risk, the Chief Financial Officer can expect to be responsible for ensuring that the cyber risks facing their organisation are suitably mitigated and that the compensating controls introduced to manage them do not disproportionately affect business opportunity. These are business considerations, not technical ones, and this is why the Chief Financial Officer is increasingly becoming the person to own them. And being a CFO, the types of risks you’re used to managing will be the same risks that you’ll manage when dealing with cyber. For example, a cyber breach can lead to financial impacts, reputational damage, business interruption, and, of course, regulatory action.
As CFO, you’re going to want to have a view of the potential cyber threats faced by your company and the vulnerabilities that could be exploited by threat actors in order to truly understand what your risk profile looks like. Now this isn’t as challenging as it sounds, because many of the threats that you face will be shared with most other organisations, for example, ransomware. But the vulnerabilities applicable to your organisation will be unique to your business. It’s therefore important as a CFO, that you understand what these vulnerabilities look like. So for example, do you have systems, business critical systems that are connected to the internet, which have not been updated with the latest security releases, because these are the types of known vulnerabilities that make your organisation more susceptible to a successful attack. Armed with knowledge about your vulnerabilities and based on input from your internal or external security subject matter experts, you can then start to take a view on how you manage the risks. Cyber security risk management, like any other risk management discipline, is ultimately about finding the right balance. You can’t eradicate all cyber risk, and frankly, you won’t have an unlimited budget for the cyber controls that you could put in place to manage the risks you face. So your role is going to be to understand what the highest impact risks are and what the steps are that could be taken to mitigate them and reduce them to a more tolerable level.
Now even then, you’re not going to have the time or money to take all of the steps that you’d like to take. So it’s going be important to scrutinize and critique the strategy, as well as the third-party products and services that you could choose when thinking about managing security to ensure that they provide the very best return on your investment in the context of your risks and the budget that you have available.
In truth, this is going to be a balancing act, and some difficult decisions may need to be made. But these are the very skills that you as a Chief Financial Officer will be using across all aspects of your business on a continuous basis. And this is one of the reasons why your role is ideally placed to be accountable for cyber risk.
In summary then, the role of the CFO in cyber security is probably more familiar than you might think. It’s about understanding the risks, prioritizing them and acting as a critical friend to those people who have responsibility for mitigating them in your business. This includes ensuring that your policies, your technologies, and your services that you’re consuming from others to address cyber security risks are focused on those with the highest impact and making sure that plans are in place to support remediation business recovery following a cyber breach.
Founder and Managing Director for Evalian
Sean specialises in data protection, information risk and information security consulting. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in governance, risk and compliance with a focus on privacy and security. Sean is also Managing Director at Evalian®.
His qualifications include IAPP CIPP-E, CIPT, GDPR Practitioner Certificate, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor and CISMP.
