Even in a declining economy, organizations are likely to maintain their level of cybersecurity spending. But that’s not to say that in the current economic climate of rising costs and a possible recession, they won’t take a magnifying glass to see how they spend the money budgeted to defend systems and data. Indeed, in many companies, cybersecurity spending is not targeting the most important dangers, according to experts, as evidenced by the large number of successful ransomware attacks and data breaches.

Without a comprehensive understanding of the security landscape and what the organization needs to do to protect itself, how can CFOs make the right decisions about investments in cybersecurity technology and other resources? They can not.

Thus, CFOs need to ensure that they have a timely understanding of the security issues facing their organization. This requires reaching out to the most knowledgeable people in the organization: chief information security officers (CISOs) and other security managers on the IT front lines.

Here are five questions CFOs should ask their CISOs about their company’s security.

1. How secure are we as an organization?

It’s a difficult question to answer, but it needs to be asked, if only to give the CFO an idea of ​​the level of attacks against the business and what the security team is doing to protect systems and the data.

Michael Gordon

“It’s a question that’s frequently asked of a CISO, and it’s one of the most difficult questions to answer appropriately,” said Michael Gordon, chief financial officer of software company Mongo DB. The ideal CISO response should read: “We have identified our crown jewels and secured them as best we can, given the resources available and the knowledge we have of the cybersecurity landscape as it is today,” Gordon said.

There are several tangible measures that organizations can use to assess the level of security risk they face. One is to get an idea of ​​the number of attacks or attempted breaches suffered by the organization.

“Many non-IT C-level executives don’t know all of the attacks their organization faces,” said Raj Patel, partner and cybersecurity practice lead at consulting firm Plante Moran. “They only know the big problems and not the ones that have been blocked and solved quickly. If they have all the data, they could [better] understand cyber spending demands.

2. What are the main security risks or threats in our industry?

This is sort of an extension of the previous question, but it’s especially important for CFOs in industries that are prime targets of attack. Many threats and risks target specific types of businesses such as financial services companies and healthcare providers. In some cases, the actual attacks are designed for specific types of systems and data.

Raj Patel

Knowing the latest trends in industry-specific attacks can help CFOs better understand the investments the organization needs to make to protect itself and mitigate risk.

“Just because it hasn’t happened to your organization yet doesn’t mean you’re immune,” Patel said. “It’s just a matter of time.” Understanding what is happening in the industry can help the CFO assess the readiness of their organization.

3. How do we ensure that the cybersecurity team and the CISO are involved in business development?

Security has long been seen by many as a barrier to innovation and productivity, but it doesn’t have to be. CISOs have a seat at the C-suite table, and CFOs can work with them to help make security a strategic part of the business.

CFOs should ask CISOs what they can do to help security teams be successful and effective, Gordon said. “This is important to ensure your CISO understands your view of this as a priority and essential to the success of the business.”

Savvy organizations tackle cybersecurity and data protection issues by infusing cybersecurity efforts and awareness from all angles and at all levels. — Brian Wenzel, CFO, Synchrony

Security should play an important role in a company’s evolution, business operations and product development, said Brian Wenzel, senior vice president and chief financial officer of financial services company Synchrony. “It needs to be integrated into acquisitions, partnerships and governance.”

Brian Wenzel

Savvy organizations tackle cybersecurity and data protection issues by instilling cybersecurity efforts and awareness from all angles and at all levels, Wenzel said. “They prioritize data security in the C suite to better manage and mitigate risks and threats,” he said.

Historically, security was viewed by many CFOs as a cost center, Wenzel said. “But that is changing,” he says. “Organizations need to view security as a business development opportunity. CFOs must leverage CISO and security efforts to grow, grow, and grow the business. »

4. What are the potential risks and costs of not implementing cyber control?

Measuring ROI with cybersecurity spending can be tricky because the potential return comes in the form of something that doesn’t happen, like an attack.

Still, it makes sense for CFOs to ask security managers about the likelihood of a given type of attack occurring, how much it might cost the organization, and how much it would cost to prevent that type of attack.

“Installing a device to monitor your network can cost $1,000, but it could save you over $100,000 if you don’t. [have it] when an incident occurs,” Patel said.

Costs can also take the form of business lost as a result of an attack.

“Customers and partners expect a lot from any company working with personally identifiable information,” says Wenzel. He notes that recent research has shown that privacy and data protection lapses are one of the main reasons customers leave a brand.

5. Do employees understand information security and implement security protocols successfully?

A good percentage of cybersecurity risk comes from insider threats. These are not necessarily malicious actions, but they are often the result of negligence or human error. Either way, organizations need to ensure that employees are well aware of security risks and the proper use of technology tools and services.

Russ Porter

Workers need to be trained on what to look for in order to avoid falling victim to phishing and other attacks, and CFOs should ask what needs to be done to improve awareness and education.

“This is the source of significant information leaks from organizations today. Scammers try to use the human element to gain access to information,” said Russ Porter, chief financial officer of the Institute of Management Accountants, an association of accounting and finance professionals.

Training and awareness must take place at all levels of the organization, including senior managers who may be the target of specific attacks.

Previous

Cybersecurity Crisis: The Average Person Comes To Over 6 Suspicious Websites A Day

Next

Cyber ​​Security Market Size, Scope, Growth Opportunities, Manufacturer Trends and Forecast to 2029 – This Is Ardee

Check Also