Top security guidelines for CFOs
October 2014 | EXPERT BRIEFING | RISK MANAGEMENT
Arguably, the role that often gets overlooked when managing risk and making security decisions is the CFO. The CFO is put in the tough position of balancing investment in IT security against so many other elements. For those ‘in the know’, investing in security technology appears on the surface to be a relatively easy decision: “We need it”. But for the CFO, he or she must constantly weigh the cost of managing cyber risk against all the other costs of doing business and make frugal assessments. Not only that, but more recently, the personal stakes have increased tremendously as more senior executives and board members face lawsuits and potential termination as a result of high profile breaches which damage the company’s reputation and affect shareholder and customer trust.
In reality, there are so many solution offerings in the information security realm that choosing the right ones is no easy task for a CFO. According to a 451 Research report last year, titled The Real Cost of Security, “Given the 10 most recommended technologies and the pricing range, an organisation could expect to spend anywhere from $225,000 to $1.46m in its first year, including technology and staff”. Considering the costs related to security, it is little wonder that the CFOs might struggle when it comes to investing in this part of the business, even if they are fully cognizant of existing threats and the need to protect the company’s assets.
Like it or not, cyber threats are increasing in scale, scope and frequency, so investing in IT security is not a decision that can be put off until next quarter or next year. Furthermore, for CFOs of small or mid-size companies, using the company’s size as an excuse to put off this investment is short-sighted. Sure, Target, eBay and other breaches in the news remind us that big enterprises continue to be in the crosshairs of cyber criminals. But, according to the 2014 Symantec Internet Security Threat Report, 30 percent of all targeted attacks in 2013 were aimed at businesses with 1-250 employees. That number goes up to 41 percent if we factor in attacks against businesses with 251-500 employees.
When the people in an organisation responsible for security come to the CFO asking for the necessary financial and human resources, there are a number of questions the CFO might ask in order to make a good business decision and not succumb to the latest security technology hype. What security products are we already relying on and how are they performing? What are the gaps in our security posture that we need to fill, and, as we bring in new products, how easy will they be to integrate with our other security controls? If we have one or more security products in place, are they working with each other? Do we have a comprehensive view of the information these products are collecting and do we understand what they are collectively telling us? How are we monitoring all of our security controls to keep track of any threats coming into the organisation? How long does it typically take us to detect and respond to a threat? How often are our security systems updated with the latest global threat intelligence?
CFOs, no doubt, will care about protecting their organisations not just from financial peril, but also from fraud, identity and intellectual property theft. They will care about the company’s reputation, and about meeting all of the compliance regulations that their businesses might be subject to. As CFOs determine what the balance of investment and staffing in security should be versus other business costs, they should keep these two words in mind: unified security. By unifying the IT security controls already in place – or by insisting that any new security products are unified from the get-go – they’ll get far more out of existing investments because of the rich contextual threat data the unified controls will provide.
Of course, it is the role of the CFO to challenge any big spend and understand exactly what their organisations are going to get in return for their precious investments. It is also the job of the CFO to care about risk to the business. By asking these questions of their security or IT teams – even if they seem redundant to the questions they are asking themselves as they evaluate security products or services – CFOs can help them stay true to the decision criteria they should be employing before making the purchase. And here’s the best news, especially for mid-size businesses who may not have already invested in all the IT security controls that large enterprises typically have: it is actually less expensive to start with a unified security management solution, from both a technology and a resource perspective. CFOs will find that a unified approach to security is the smart way to invest in this critical business need.
Barmak Meftah is CEO of AlienVault. He can be contacted on +1 (650) 713 3333 or by email: firstname.lastname@example.org.
© Financier Worldwide