What is the Chief Financial Officer (CFO)’s role in the organization?
- Provides both operational and programmatic support to the organization
- Supervises the finance unit and is the chief financial spokesperson for the organization
- Reports directly on all strategic and tactical matters as they relate to budget management, cost benefit analysis, forecasting needs, and securing new funding.
Are risk management and cybersecurity part of the CFO’s job?
Absolutely! First of all, IT can no longer do it alone and must rely on everyone since we now all carry computers and sensitive information in our hands. ALL of your personal information as well as the company’s sensitive information travels across networks and is stored on computers. As computers have gotten smaller, the rush for convenience has dramatically outpaced and stripped IT of its ability to secure all data.
But cybersecurity is entirely the domain of the IT department, right?
Not entirely. Cybersecurity has fallen into the lap of the IT department. Holding them 100% responsible for securing ALL information is like telling the police they are 100% responsible and liable for securing our homes.
It’s not about computers—it’s about the information!
Cybersecurity too often focuses on securing the computer or network when it should be about securing the INFORMATION that sits on that computer or network. After all, before computers existed, the CFO was responsible for securing the hard copies of budgets and other sensitive financial documents. To complicate matters, computers have morphed from very large mainframes that could be consolidated and controlled in one room to very small chips in everyone’s pockets.
We ALL need to take responsibility for protecting the information we control.
The information the CFO controls and works with is some of the most sensitive and important information in an organization. The CFO must understand where information is at all times, how it is secured, who wants to steal or disrupt it and by what means, etc. Consider some of the more famous cyberheists that have occurred in the last two years and the fate of the victim companies. The company was hacked, their communication with the banks was cutoff, and the tokens to transfer money were stolen; then, thousands and even millions of dollars were transferred.
So, how do we take responsibility for protecting that information?
Start to view the protection of information as a risk management issue.
Start with a risk assessment to determine what information you have, how it flows across the organization, the ingress and egress points, how it is secured, who has access to it, etc.
Then categorize that information based on recognized or established labels in the organization, e.g., secret or sensitive, proprietary, HR sensitive, public, etc.
Next ensure the information is secured based on its level of sensitivity.
Many other pieces and details exist within each of these assessment categories, so this is a general overview of the steps.
Get professional help drafting policies
Once the risk assessment is complete, draft and implement the necessary policies. The policy(ies) should outline what is protected, how, and each employee’s and executive’s role and responsibility for protecting the information. The policy should also outline the standards and procedures that must be followed as well as what to do in the event of an incident.
Get live training for your team
Finally, train all. Ensure ALL in the organization receive live cybersecurity awareness training.
Why live training?
A good cybersecurity awareness course will review the threats to data and explain who the hackers are, how they get in, and why it is important to utilize the security implemented. It will also provide the latest information on the latest threats and tips for keeping information safe and secure—imperative with the rapid evolution of technology and cyber threats.
Smartphones have enabled us all to carry computers in our hands, providing easy access to very sensitive information anywhere and at any time. It is everyone’s responsibility to employ good cybersecurity to protect information, and education is the first step in ensuring that happens.
Bring in the professionals
Bringing in someone from the outside to help you step through this journey is important. Securing information, risk management, and cybersecurity can be daunting if it is not your job. An outside set of eyes will see issues you might miss.
Finally, your organization should have an annual security audit and penetration test / vulnerability assessment to help to:
- Lower the risk of a cybersecurity incident or data breach
- Reduce the liability associated with a breach if one does occur
- Help the organization detect and recover quickly
- Protect the reputation of the organization
The CFO can champion the efforts to make your company more secure.