Talk to the CISO

We’ve all heard the phrase “talk is cheap.” But when it comes to how companies operate, not talking can be costly—both in terms of money and in safety, and especially when finance teams and security teams aren’t on speaking terms.

Finance departments can take the lead in collaborating with their cyber counterparts to protect against an expected rise in cyberattacks on sensitive financial data, according to industry experts. As creators and owners of the financial data, finance departments are well positioned to set an organizational tone of collaboration around data security, Daryl Crockett, CEO of data security consulting firm ValidDatum and a consulting fractional CFO, told CFO Brew. But in order to do so, finance teams have to start communicating their needs and expectations. And it has to start from the top.

“I think fundamentally it is a corporate culture that needs to be initiated,” she said. “And the CFOs as part of the C suite, or senior finance executives, are responsible for supporting that mindset.”

Bumpy road ahead. There’s good reason for finance departments to improve collaboration and communication: According to a recent survey from the Deloitte Center for Controllership, many executives are expecting an increase in the number and severity of cyberattacks aimed at financial data this year.

Cyberattacks on financial data—information that shows up in financial reporting such as sales, revenue, expenses, liabilities—are a growing problem. Among the 1,100 C-suite executives surveyed by Deloitte, 34.5% say that their organizations “experienced cyber events targeting accounting and financial data” within the last year. It will likely get worse: 48.8% of the survey respondents expected an increase in cyberattacks on financial data this year.

Cyber breaches are also expensive. According to IBM’s Cost of a Data Breach 2022 report, the average cost of a data breach in the US is $9.44 million.

However, while only 20.3% said their accounting and finance teams “work closely and consistently” with their peers in cybersecurity, 39.5% said they planned to increase the collaboration between their organization’s cyber and finance functions.

Clearly, there is room for stronger communication between teams.

“There's a shift in making sure that there is a continuous interaction across the groups so that everyone is establishing a better relationship,” Temano Shurland, principal of risk and financial advisory in finance transformation at Deloitte, told CFO Brew. “But more importantly, understanding where there may be [an] opportunity to better improve their infrastructure or security operations around the data.”

Talk it out. For many CFOs, the first step to successfully collaborating with a chief information security officer (CISO) or chief information officer (CIO) is getting up to speed on cybersecurity risks and best practices because oftentimes, finance professionals don’t have an effective handle on key cybersecurity issues, Crockett told CFO Brew.

“I think they [finance professionals] really don’t understand the tremendous threats that they are under on a daily basis,” she said. “They are very unaware of what good cybersecurity posture looks like, what it means to the organization, how to go about doing that, why they should do it—they don’t understand at all.”

Crockett recommends that finance professionals take upon themselves to start learning about cybersecurity best practices, whether that’s YouTube tutorials or reading up on cybersecurity trends and terminology in order to better communicate with their CISOs or CIOs.

Simply communicating with the cybersecurity team, beyond just budgeting conversations, can also improve CFO cyber literacy and set an effective collaborative example for the rest of the organization, according to Amy Bahls, CFO at the National Cybersecurity Center, a cybersecurity education non-profit based in Colorado.

Creating that tone of collaboration at the top helps strengthen the organization’s overall cybersecurity posture, said Shurland.

“Everyone understands that the accounting and finance information is mission critical to the success of the organization,” he said. “And that should be monitored and protected at all costs, which then requires increased interaction.”

Taking stock. Once finance professionals have a solid understanding of cybersecurity issues and have opened lines of communication with the cyber team, they should take an inventory of their organizations cyber needs, tools, and vulnerabilities, said Bahls.

“What are the things that you have to protect?” she said. “That awareness is really where the CISO can help out.”

Understanding the capabilities, strengths, and weaknesses of your organization’s cybersecurity posture can also help CFOs with budgeting and resource allocation, according to Crockett.

“How can the CFO be expected to talk intelligently about the budget and to sign off on major procurement plans for data privacy and data security without being aware of the existing status and plans of the department?” she said.—DA