It’s especially important, and in fact mandated by many of the common security frameworks, that Leadership has awareness and understanding of the organization’s cyber risk with a regular cadence for review with key stakeholders such as other executives or the Board of Directors.
The Chief Financial Officer in particular has a fiduciary responsibility for the organization and in many cases, overall bears responsibility for risk within their company. The stakes are even higher with a publicly listed company that may face fines or other penalties from shareholders or regulators. For a public company you can usually find a qualitative assessment of all risks in the Management Disclose and Analysis (MD&A) filing that accompanies an annual report.
CFOs have a solid understanding of controls as they provide assurance on the integrity of financial reporting and are critical for mitigating and identifying issues such as fraud (internal or external). The controls inherent in various frameworks, not to mention best practices, are equally as important for CFOs to embrace and not every CFO understands or has a desire to have a broader approach to risk management which includes cyber risk.
Whether we like it or not, we are all in the business of risk management. There’s risk in everything we do in our personal and professional lives, but we manage and mitigate the risk based on our risk appetite and our risk tolerance. We wear seatbelts to protect us in the event of an incident, use smoke detectors as a preventative and early warning of possible fire, rock climb with the appropriate training and safety gear and so on.
Business is no different in that we must take risks to operate and prudent risk taking is necessary for results. The risk appetite defines how much risk we are willing to take, while the risk tolerance is our comfort with deviation from the appetite in search of greater results or rewards.
A robust approach to risk management requires some art and some science using people, process and technology that are appropriate for the type of business, as well as the size of the organization and potential impact. For example, a nuclear power plant requires risks are very well managed and risk appetites are low given the possible catastrophic impact of a risk being realized. If you’re running a Software as a Service (SaaS) company, while your clients rely on you for your services and you may have sensitive data, it’s unlikely that a risk being realized will result in catastrophe such as loss of life.
CFOs must take an active role in cyber risk, now more than ever, as prevention and preparedness is always a much better outcome than dealing with a cyber risk that may result in irreparable financial and reputational damage.
~ Chris Covell Principal Consultant, vCISO