Today, 2,000 chief financial officers (CFOs) at corporations around the country will get a copy of an action guide that will help them deal with cyber attacks. Not chief security officers or chief information officers, but chief financial officers. There’s a reason for that choice.
Despite the highly publicized losses due to a data breach at TJX, where 94 million records were compromised, plus several other breaches since, hackers keep on penetrating defenses at organizations.
“We believe cybersecurity needs to take a much higher priority in the overall thinking and budgeting of organizations and one way to do it is by relocating the focus of control from the IT departments to the CFO,” Larry Clinton, president of the Internet Security Alliance (ISA), told InternetNews.com.
That’s because “organizations will only invest in and sustain appropriate cybersecurity measures when they believe it’s in their best interest, and we believe it’s in their best interest when they address it on an economic basis,” Clinton said.
The booklet, unveiled at a press conference at the National Press Club in Washington, D.C., contains 50 questions CFOs must ask and sample charts to help them calculate the probability and severity of financial losses from both risk actions and the actions taken to mitigate them.
The booklet is issued by the American National Standards Institute (ANSI) and ISA and is available for download free on the ANSI Website.
Go for the money
It also contains a list of standards and reference documents to help CFOs develop comprehensive risk management frameworks. Organizations “have to look at cybersecurity from a fully functioning enterprise basis,” which means representatives from every department, including the legal, human resources and public affairs departments, should help develop a cybersecurity plan, Clinton said.
“We see many corporations are cutting their security budgets, and we don’t think most organizations are organized well enough to truly appreciate the value of their information security systems,” Clinton said.
The booklet was developed after a year of work involving four workshops and “numerous conference calls and exchanges of documents interspersed between the workshops,” Clinton said.
Targeting the CFO is a good idea, Tom Kellermann, Core Security’s vice president of security awareness, told InternetNews.com. “CFOs and risk managers need to be re-educated to comprehend how risks have changed due to e-finance and the e-commerce revolution,” Kellermann said.
Most organizations use plausible deniability to evade responsibility when they are hacked, Kellermann said. But this is dangerous because “most hackers leave back doors to systems so the long-term risks become more and more profound as time goes by,” he added.
Because most organizations outsource “some IT functions,” Kellermann recommends that CFOs review their contracts with these contractors. A breach of an outside contractor’s site saw 5,000 consumer names stolen from Wells Fargo in August.
How can CFOs guard against this sort of problem? “Make sure you don’t just have SLAs (service level agreements), but have information security SLAs with them and make sure you have remediation times built into your contracts with those entities,” he said.