As CIOs take a leading role in combating increasing cyber risk, they have a staunch and influential ally: the chief finance officer.
EY’s global study – Partnering for performance, Part 3: the CFO and the CIO – asked over 650 CFOs about their relationship with the CIO and their collaboration on four critical activities: cybersecurity, analytics, information management and digitizing the IT function. Kicking off with cybersecurity, in the next four weeks we will examine the other areas, drawing out how CIOs can build a rock-solid alliance with the CFO by tackling these critical priorities.
Sixty-six percent of surveyed CFOs identified cybersecurity as a high or very high priority. They have a critical role in valuing the company’s assets, and in quantifying the cost of a breach. This illustrates how cybersecurity has leapt up the C-suite agenda, with the financial, reputational and operational costs of a breach often becoming headline news. So, how should CIOs and CFOs collaborate to protect the organization?
- Treat cyber risk as part of enterprise risk management
Given cyber crime’s board-level importance, cyber risk should be treated as an enterprise risk management issue and not just an IT issue. Stephen Pearce, CFO at Fortescue Metals Group, says: “Cybersecurity has to be put in its position as part of the broader risk management framework of an organization.” By collaborating with CFOs, CIOs can ensure their technical defenses, such as firewalls, are combined with the wider organization approach to risk, including behavioral and culture change.
- Prioritize the assets that need protection
CFOs’ access to financial data means they can identify the assets that attackers are likely to target, such as intellectual property or financial data.
In a collaborative effort, CIOs and CFOs can identify which assets need protection and the impact of them being breached.
- Match your cybersecurity to your strategy
CIOs and CFOs should view cybersecurity as a series of rolling processes to be reviewed and revised as the organization changes. For example, a merger or acquisition can create new cyber risk exposures. This requires a tight partnership, with a regular cadence of meetings, between CFO and CIO, to discuss new acquisitions and potential holes in the defense lines.
- Discuss cyber risks in the language of business
CFOs will struggle to understand cybersecurity if it is expressed only in technical language. Without clarity of understanding, they won’t be able to decide how much to invest and what initiatives to prioritize. CIOs need to articulate cybersecurity risk in language that will resonate with the CFO and board. For example, translating highly technical metrics into broader themes that will resonate with a non-technical audience. You can read more about this topic in a recent issue of my blog.
Increasing risk puts premium on IT–finance relationship
Cyber attacks are increasing in sophistication, having moved from the days of hackers defacing websites to economic manipulation by syndicated criminal networks, in some cases sponsored by nation states. A strong CIO–CFO alliance is a critical line of defense in this heightened environment. When this relationship works, cybersecurity enjoys strong board support, robust technical defenses, and a laser-like focus on where efforts should be concentrated.