Technology has for a long time been out of the laboratories and has held, in its own right, a position in the companies’ executive committees. The transformation that ‘digital technology’ is injecting into all types of organizations requires that the top-level executives understand the basis of this new era.  According to Gartner’s report “2014 Gartner Financial Executives International Technology CFO Study”, CFOs must be prepared for this trend as they have an increasingly important role in IT decision-making. It also stated that 30 percent of the CFOs interviewed (almost 40 percent if we talk about SMBs) claimed they took these decisions, compared with 24 percent in 2013.  If there is an area where they should pay special attention, this is without doubt that of information security.

No, cybersecurity is no longer the sole responsibility of IT managers. Nor is it that of the security managers, who often report to the former. CFOs also play a key role in defining the organization’s strategy regarding this subject.  Until now their only duty in the ICT area was to control the department’s budget and assess, together with the CIO, in which security solution they should invest and whether they should increase this in one sense or another. And above all, they must know how to act to protect their organization against the ever increasing risks appearing in the market, ranging from an infection caused by one of the multiple existing malwares, now operating in any platform, to an advanced persistent threat, amongst others. For this reason it is essential that the CFO works closely with the CIO on the development of a security plan which integrates perfectly into the company’s business model and its operations, as well as into its relationship with its employees and shareholders, and that it safeguards the brand and the corporate reputation.

From cost controller to evangelist

How should the XXI Century CFO act?  Experts recommend someone capable of analyzing along with the CIO, the value and vulnerabilities which come with the use of IT and who knows how the company should act when attacked, because it is now practically impossible to prevent ever more sophisticated security incidents. What one needs to know is how to minimize their impact.

On the other hand, the Chief Financial Officer must realize that these types of attacks directly impact on the company’s business and its market value.  This is pointed out in the report “The Value Killers Revisited: A risk management study” by Deloitte, which states that the issues that ‘kill’ this value are not only limited to factors such as the recent credit and euro crisis experienced by the market or M&A transactions, but also include others like cyberattacks, which nowadays are unfortunately very common, as has been seen with recent notorious cases (the Sony Pictures case is only one of many).

Therefore the inclusion of cybersecurity with the issues to be addressed in the risk committees and audits in which they participate is an obligation for CFO’s today, and they should bear in mind which of the company’s assets need the greatest protection in order to guarantee the continuity of the business.  Additionally they must participate in the development of a contingency plan for a possible cybersecurity incident and be certain that they know what to do, as should the CIO and the other members of the Executive Committee.  It is advisable that companies organize simulated attacks to ensure that everyone responsible is prepared should a high range cyberattack really occur.

The Chief Financial Officer should also explain to the managers the risks implicit within the new digital scenario pointing out the most dangerous players, and also assess which methods, technology and human resources are the  most appropriate to combat them. According to experts, one area on which they should concentrate is to have monitoring systems which facilitate the rapid identification of attacks in real time in order to respond with greater agility. It is necessary to anticipate these situations as much as possible. Today, for instance, it is unthinkable that customers are the ones who have to report a possible fraud related to the services offered by the company. The company must act as quickly as possible and be proactive rather than reactive if a security breach occurs, and have their communication and performance strategy already prepared for customers and third parties who may be affected.

Obviously all the above does not mean that from now on the CFO has to lead exclusively the cybersecurity initiatives in his organization. But he does have to start participating more actively and evangelizing about the importance of data security and about the policies to protect them within the Executive Committee. In short, companies (and also society) are now so digital that is simply impossible for its top executives, including the CFO, to ignore the risks and threats which the new scenario entails and which steps are the most appropriate to solve the problem.