Cybersecurity

Insight Piece

© Partner Financial Ltd 2018.

2

According to EY ‘…four new forces are changing the expec-tations placed on CFOs: digi-tal; data; risk and uncertainty; and stakeholder scrutiny and regulation’1. • Digital – ‘58% of finance

leaders say they need to build their understanding of digital, smart technolo-gies and sophisticated data analytics.’1

• Data – ‘57% of group CFOs believe that the delivery of data and advanced ana-lytics will be a critical capa-bility for tomorrow’s finance function.’1

• Risk & Uncertainty – 57% of finance leaders believe that risk management will be a critical capability in the future.’1

• Stakeholder and scrutiny and regulation – ‘71% of finance leasers say they will increasingly be respon-sible for the ethics of deci-sion-making in support of their organization’s purpose.’1

Given that each of these areas link, in some way or another, to cybersecurity, it is essen-tial that CFO’s understand the

implications of cybersecurity to their role and see IT as more than just a cost. This is perhaps where the first mistake lies, that cybersecurity is considered an ‘IT cost’ when in actual fact ‘cybersecurity (should be) a key part of business strategy rather than technology governance.’2

This is not to say that CFO’s will replace the CIO/CISO, on the contrary, it is essential that these ‘two critical business functions work together to create a recip-rocal dialogue which is under-stood by both parties, formulate easily navigated frameworks, and educate the entire organi-sation to the scale of (the cyber-security) threat landscape’3

By building a strong relationship with the CIO, this alleviates the need for CFO’s to understand the jargon related to cyberse-curity. However they do need to understand the implication of security policies on critical busi-ness accounts and transactions, and vice versa.’3 At present ‘Under the current UK data protection law, most per-sonal data breach reporting is best practice but not compul-sory’4. The impending GDPR will

3

however change this and ‘man-datory reporting of a personal data breach that results in a risk to people’s rights and freedoms under the GDPR will be (a) new requirement for many.’4

This has significant financial and non-financial implications on organisations within the UK should they be exposed to a data breach:• ‘When any large-scale

breach occurs a consid-erable amount of that trust is lost, sometimes irrevocably’.5

• ‘cyberattacks and data breaches can measurably affect an organization’s bottom line’.5

• The impact is unlikely to be temporary, ‘A study…by IT consultant CGI and Oxford Economics concluded that severe breaches caused share prices to fall an aver-age of 1.8% on a perma-nent basis.’5

• ‘According to the Ponemon Institute’s “2014 Cost of Data Breach Study: Global Analy-sis,” the average total cost for a data breach is now $3.5 million globally”’.6

THE RISE OF CLOUD COMPUTINGResearch suggests that ‘com-panies who have deployed cloud broadly are gaining com-petitive advantage over their rivals that have not in ways that matter. These pacesetters are re-inventing customer rela-tionships, using analytics exten-sively to derive insights from big data, sharing data seam-lessly, and making data-driven and evidence-based decisions. Most importantly, paceset-ters are growing revenue and gross profit faster than other organizations.’7

If this is the case, then clearly it makes strategic business sense to move away from legacy IT systems and embrace the cloud. However, the rise of cloud com-puting has undoubtedly influ-enced the complexity of cyber-security, ‘Clouds are often made up of multiple entities, which means that no configura-tion can be more secure than its weakest link’7 and whilst cloud service providers do offer a high level of security measures, it is essential to remember that the ‘organisation, and not the

4

cloud service provider, is ulti-mately accountable for keep-ing their data secure.’8

Cloud computing clearly offers financial benefits and opportu-nities to an organisation, which are of course of interest to the CFO, but on balance, the risks that present themselves from a cybersecurity perspective must also be regarded with the same, if not increased, level of priority. There is clearly an identifiable ROI when considering moving to the cloud, but ‘Cybersecu-rity performance and ROI can’t be measured the same way that revenue and operating costs can’5. So instead, CFO’s need to ‘continuously review and address known vulnerabili-ties (to avoid) the “inverse ROI of not doing cybersecurity.”’5

THE CFO AND CIO RELATIONSHIPAs alluded to earlier, perhaps one of the reasons that CFO’s are not considering the impact of cybersecurity is due to the pure complexity of this topic. It is understandable that, as a CFO you may not ‘know enough about application security to envision the cost savings, resil-ience and risk reduction such solutions enable’5.

By building a relationship with the CIO/CISO and creating an environment where cyberse-curity is seen as ‘an extension of enterprise governance, risk management, compliance, and control activities’9, a CFO doesn’t need to be a cyber-security expert. Consider this, ‘if your security team proposes making a new investment in a cheaper, better approach, will you back them up or miss the boat?’5

From a top down perspec-tive, every business decision and area ultimately impacts finance in one form or another. This means, that as the CFO, you have influence on every aspect of a business. Cybersecurity also impacts every area of a busi-ness whether it be the person-nel data held in the HR function, the customer data held by the sales team or the strategic plan held by the Board. As a CFO you ‘are in a prime position to help build a culture of security throughout an organization by emphasizing its importance to the bottom line, business conti-nuity, competitive advantage, and brand reputation. Trust in the digital economy is critical. Trust between CFOs and secu-rity leaders is an important and

5

fruitful place to start—and a way to guarantee strong bonds between a business, its share-holders and its customers.’5

ABOUT USPartner Financial is the stand-out performer in the financial

recruitment industry. Since 2007, Partner Financial’s Partners and Associates have worked with senior finance business leaders throughout industry and com-merce to advise on selection, building commercial finance expertise and developing human capital solutions.

1 http://www.ey.com/gl/en/issues/managing-finance/ey-cfo-program-dna-of-the-cfo-four-forces

2 https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/meeting-the-cybersecurity-challenge

3 http://www.thecsuite.co.uk/cfo/information-technology-cfo/cybersecurity-for-the-cfo-its-all-about-risk/

4 https://iconewsblog.org.uk/2017/09/05/gdpr-setting-the-record-straight-on-data-breach-reporting/

5 https://www.infosecurity-magazine.com/opinions/cybersecurity-cfo-risk/

6 https://www2.deloitte.com/us/en/pages/finance/articles/chief-financial-offi-cer-cfo-cybersecurity-cyber-risks-cyberattacks.html

7 https://www.ibm.com/blogs/cloud-computing/2013/11/how-cloud-comput-ing-provides-competitive-advantage/

8 http://www.information-age.com/approach-cloud-computing-cyber-securi-ty-2017-123466624/

9 https://www.financialdirector.co.uk/2017/12/15/cfos-need-concerned-cyberse-curity

© Partner Financial Ltd 2018.

CONTACT US

E email@partnerfinancial.co.uk

T +44 (0)20 3178 4996

W partnerfinancial.co.uk