Today, CFOs find themselves at the forefront of a crucial battle – understanding and effectively communicating the risks and strategies associated with cybersecurity in financial terms. Despite the widely acknowledged mantra that “cyber is a business problem,” the gap between Chief Information Security Officers (CISOs) and CFOs persists. Cybersecurity leaders have often communicated risk using vague heatmaps and technical jargon—not a good look for board reporting or investor confidence. With the newly released SEC cyber rules requiring materiality determination and incident disclosure, cyber risk expressed in dollars is increasingly becoming a top priority. To thrive as a CFO in today’s world, you need to have a playbook to make sure cyber risk is not lost in translation. Here are the top 8 steps we use to help CFOs bridge the communication gap:
- Align the Security Team with Business Operations: Understanding the specific cyber events that can impact the business based on how technology is utilized is crucial. This alignment helps in determining the potential risks and developing effective strategies that are centered around storytelling for mission-critical functions of the business. There are very specific consequences of a cyber-attack such as supply chain disruption, business interruption, and reputational damage that need to be documented and analyzed.
- Leverage Cost Estimation Based on Operational Data: Utilize operational data to estimate the costs associated with potential cyber events. This financial perspective provides a tangible understanding of the potential impact on the organization’s bottom line. It can also expose knowledge gaps within a certain business unit that will require more specialized expertise before a cyber-attack happens, often resulting in mitigating measures to reduce potential impact.
- Rank Events by Financial Impact: Once costs are estimated, rank cyber events based on their financial significance. This prioritization allows for a focused approach to mitigating the most impactful risks. The past few years have demonstrated the importance of preparing for low-probability but high-impact events.
- Match Investments to Mitigate Risks: Allocate resources and investments based on the prioritized cyber events, ensuring that spending aligns with the risks that matter most to the business. This is particularly important when demonstrating the cost and benefit of a particular security control group which may look more costly to implement yet will result in a dramatically greater risk reduction outcome.
- Consider Insurance Policies: Evaluate how existing insurance policies factor into the residual risk and financial exposure. Understanding the coverage and limitations of insurance can guide investment decisions. Insurance deductibles and retentions are often intricately linked to a company’s materiality determination or risk tolerance threshold. Materiality, in this context, is a measure of the significance of an event, and understanding how it intersects with insurance can be a game-changer. The SEC Cyber Rules require this level of materiality understanding as well for reporting.
- Enhance Cyber Reporting: Regularly update cyber reporting mechanisms to capture the identified events and demonstrate the return on investment (ROI) of cybersecurity spending. This transparency is essential for effective communication with the board and other stakeholders. It also comes into play in the previous materiality discussion, such as which events are deemed significant to report to the SEC within their 4-day disclosure period.
- Implement a Cyber System of Record: Establish a system of record to capture real-time decisions, trade-offs, and new developments in the cybersecurity landscape. This enhances integration across teams, and by demonstrating the what’s and why’s behind decision making and actions, may help shield the company and individuals from prosecution and litigation should an incident occur.
- Define KPIs for the Cyber Organization: Work collaboratively with the CISO to establish Key Performance Indicators (KPIs) for the cybersecurity organization that everyone, including non-technical stakeholders, can understand. These KPIs serve as a metric for measuring the effectiveness of cybersecurity initiatives.
Ultimately, cybersecurity is a team effort and often gets stalled by poor communication. Armed with these 8 steps, it’s much easier for CFOs to play a proactive role in improving communication and collaboration with CISOs, the board, and other stakeholders. With some time planning out these playbook strategies, you can stay ahead of the risk curve and enjoy a safer and more resilient 2024.