CIOs reporting directly to CFOs can create massive cybersecurity headaches
Study author Jody Westby, the chief executive officer of consulting firm Global Cyber Risk, tells CFO.com, "When you start looking at why [a] company had a weak security program, it usually comes down to allocation of resources."
"The CFO should be very concerned, because often it's the security programs that have been starved for cash," she says.
Westby explains that many complaints about malfunctioning computer security systems never reach the CFO because the chief information officer (CIO) intercepts those messages and tables them. CFOs are often viewed to be "cost obsessed" and more willing to ditch projects that will cost the company money, she says.
Regardless of the chain of reporting, Westby says finance chiefs must include security programs - and the material and human resources they require - in the company's annual budget review. This allows the board to directly examine the cost of security risks and assign the necessary resources to stop cyber threats as they occur.
"If a security team is starved for funding, that always comes back to the CFO," Westby tells CFO.com.
Confusing the issue is the reporting structure. Chief information security officers (CISOs) and chief security officers (CSOs) most often report to the CIO (40%). However, they also sometimes report to a CEO (22%), and 8% of the time they report to the CFO. That reporting structure has remained fairly consistent from 2010 through 2015.
If the CIO reports directly to the CFO, Westby says it's important that the CFO "really tries to understand the cyber risk and tries to ensure there is adequate funding - within reason."
The study lists four major cybersecurity challenges:
- Lack of focus on cyber breach prevention puts critical assets at risk. Building security that simply detects threats, with no other option than incident response, is too little, too late.
- Security has been categorized as simply an IT problem for too long. Cyber risks are too important not to discuss in the boardroom - this is an existential issue for the entire enterprise.
- Too many point security products leave gaping holes in security postures. Piecemeal security systems and point products that don't share context across the entire cyberattack life cycle are inadequate.
- Too many manual steps and cycles impede prevention and can't scale. Most enterprise security teams are not resourced to manually handle thousands of daily alerts.
Half of the cybersecurity issue clearly focuses on boardroom and funding considerations.
There is, however, some good news for CFOs and their boards. The 2015 survey found that most boards have finally established "risk committees and shifted risk oversight from the audit committee to the risk committee. Additionally, boards are now undertaking key oversight activities related to governance of cybersecurity."
By removing the cybersecurity equation from the auditing department, a company can settle on must-have cybersecurity needs before passing that information along for financial approval.
Perhaps the most useful tip from the survey is to remove a single point of contact from making the final decision on security. "Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues," Westby writes.
"This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO, and business line executives," she says.