It isn’t just the IT department that needs to be concerned about data breaches and infrastructure risk—CFOs must also lead in safeguarding their organizations against unauthorized access by external bad actors or rogue employees that could potentially wreak havoc on the bottom line.
So says Karan Bhople, CFO of strongDM, a software company based in Burlingame, California, who previously served as vice president of finance at SentinelOne, where he played a key part in the company’s successful IPO. Bhople spoke with StrategicCFO360 about how company value is tied to cybersecurity, why he compares CFOs to firefighters and why it’s important to seek out other CFOs.
How have rising data breaches and infrastructure risk changed the role of CFO?
The proliferation of technology infrastructure has been accompanied by an increase in the number of attack surfaces, multiplying avenues of risk in a way that hasn’t been seen before. The CFO’s role is primarily to maximize the company’s value, and intrinsic value is dependent on the magnitude, timing and risk of future cash flows—so as risk increases, value is threatened.
In the context of data breaches and infrastructure risk, the CFO is quartermaster, soldier, firefighter and police officer. As quartermaster, the CFO organizes and directs resources in the firm to manage and minimize this cyber risk. As a soldier, the CFO has the ability to fight in the trenches alongside the teams closest to the risk, while providing steady leadership.
As a firefighter, the CFO does what is needed to handle and resolve unwanted incidents in real time. As a police officer, the CFO takes an interest in investigating those incidents and in enforcing rules to ensure they don’t recur. And in all these activities, the CFO must exercise good judgment and partner closely across multiple business functions.
Why do CFOs—and not just IT staff—need to have a vested interest in understanding and assessing security and compliance products used in their companies?
The more leaders there are across the company, including the CFO, who take an interest in understanding security and compliance products, the safer the company becomes. Generally, when knowledge critical to protecting the company is concentrated in one person or one group, if something happens to that person or group the company is vulnerable. The CFO must take the lead in spreading the risk around.
As the standard modus operandi of the finance function in today’s world is to be highly automated, the CFO’s tool stack itself must be protected, in the form of adequate controls, privileged access, data protection and so on. Systems used for accounting, planning, order-to-cash, procure-to-pay, equity management and other activities are not immune from incidents or attacks. To minimize risk in the CFO’s own backyard, the finance team must work hand-in-hand with the compliance team.
What are some new risks that weren’t apparent before that CFOs should be aware of?
Most risks have been around for a while, from well-known external bad actors to obscure individual employees, from an entire homegrown database being breached to one AWS EC2 instance left open for a short while. But the discrete elements and sources of these risks have multiplied with the sheer growth in volume, breadth and geographic spread of technology infrastructure.
In the not-so-distant past, the CFO’s 360-degree view covered just the company’s employees, physical assets, customer and supplier and partner relationships, investors and creditors, and bank accounts. Today, it is imperative to add to this list the potentially massive but abstract stockpile of technology infrastructure. Tracking all of it can be daunting, so having the right tools to do so is critical. The CFO may not be monitoring or using the tools on a daily basis, but must partner with those who do.
What can CFOs do to maximize their company’s valuation amid a new era of risk?
Stay in tune with what is best-in-class in risk management. Network and ask experts for advice regularly. Seek out other CFOs at companies that have experienced incidents large and small, and learn from how they handled those situations. Learning often happens in the extreme, and one can learn a lot from one’s own mistakes, but it is often easier—and lower risk—to learn from the difficult experiences of others who are walking in the same shoes.