I’ve been a finance professional for more than 25 years and spent the last 15 years in senior finance roles, mostly as a CFO of both public and private companies. Like many of you, I am often invited by business groups and professional service providers to attend thinly veiled networking events to get the attention of “C” suite officers of both large and smaller companies. Normally, the bait used to get the attention of senior accounting and finance members were topics like, "Trends to Fund Your Next Acquisition," "Key Tax Strategies for the New Millennium," "How to Attract and Retain High Performing Teams," etc. However, recently, I’ve noticed a new topic cropping up about this new business risk of “protecting your data” and “cybersecurity defense.” Admittedly, not too long ago I thought cybersecurity and data protection was a compliance initiative that was the job of someone in our Information Systems group. All I needed to know was that we were compliant, if not whose throat would I choke to get us compliant and hopefully, we didn’t need to make a formal disclosure in our annual Form 10K. The world has changed in the last two years—changed a lot! Service professionals are using the new topic of cybersecurity more often as their bait to snare a few finance types like me. At first, it seemed like most of these meetings were led by auditor types from national CPA and consulting firms, but more frequently, I’ve seen this topic become more effectively communicated in panels and working groups where real finance peers are discussing, questioning and learning what others are doing to defend against the next attack. Many of us thinking, God forbid my company becomes the next poster child like Target. In the last two years, I have evolved my understanding of cybersecurity. One of my greatest learnings is that CEOs and the Board are looking more often to the CFO to own understanding and managing of cybersecurity risk. Sure, we have partners like CIOs and CISOs or maybe a Director of IT Security, but in the end, CFOs are given the “opportunity” to monitor, manage and communicate the risk to the CEO and the Board. Three important learnings that came from firsthand knowledge are what I’ve termed the Three Keys to a Successful Cybersecurity Program:
1. Tone from the Top
Like any other major initiative – especially a new corporate-wide initiative – you need the voice of the CEO. A once-a-month email or gratuitous comment by the CEO isn’t enough. Today, I work for a company whose purpose in life is developing and selling software products aimed at mitigating cyber risk, which you would think in and of itself would enable a successful IT Security Program, but it wasn’t enough. We are like any other company who is very busy competing. IT Security is not second nature—controls and processes can be confusing, difficult and sometimes painful to implement and are easy to push down the priority list. As a result, we found the most effective enabler to a successful program is a continuous tone from the top. You need that constant drip of water coming from CEO’s mouth mandating support, reminding leaders that security is not an option and demanding proof that defense systems are developing, progressing and adjusting as necessary.
2. Prioritizing Your Valuable Assets
In our early journey of taking cyber risk seriously, we all agreed we needed to be secure, but wondered what it meant to be secure. We were searching for the "Easy Button," but quickly found there wasn’t one expert or SWAT team we could hire to come in and fix things in 90 days, then leave and let life continue. More importantly, there are many valuable assets that need to be protected and “value” was like beauty; its in the eye of the beholder. Sitting in these networking events and listening to peers discuss their risks and justifying the highest value assets (e.g. credit card data, HR data, website, reputation, brand, intellectual property, financial records, etc., etc.). Once you get the constant tone from the big guy on top, its now up to you to manage and prioritize what assets need to be protected first. Further, once you find your top two or three, you are likely to find the defenses required to protect these assets will vary in their prescription, let alone the technical IT environment were these assets reside varies significantly. In fact, many of us thought the "Easy Button" would come from managed service providers or the infamous “Cloud.” Experience tells me its not that easy and these environments coupled with a dynamic business will often compound the challenge.
3. Finding and Using a Credible Cybersecurity Framework
I remember sitting in an early security meeting asking myself, what the heck is a framework? It sounded like a fancy hi-tech or IT buzzword that God only knows what it means! I think my eyes were glazed over when I first heard it, but I found that after about six months of frustration of not getting anywhere working with a group of people from my IT team, my boss the CEO, and a couple of other smart guys from engineering that its actually a very important tool – maybe the most important tool. Today, its like my American Express—I wouldn’t leave home without it. Seriously, its imperative to dissecting, prioritizing and communicating. A security framework effectively provides a roadmap that when done well will set out understandable priorities that enable clear communication on what we have done, what should be done next and whether we are succeeding. If you haven’t thought much about data security yet or if you are frustrated like I was, you will find the security framework is a medium of communication. It allows the techies to speak in "techy speak," but also allows me to understand and see what they are talking about and where all the technical solutions fit into the list of priorities. Said another way, if one of your security professionals come to the meeting saying we need to buy a IPS, IDS, Next Gen Firewall, anti-malware, threat protection, endpoint protection, etc., all you have to do is ask where it fits in the framework – if its below something on the priority list that isn’t complete, you can ask why and drive the conversation on investments, risk and benefits. I’ve also found the security framework is very effective in communicating to the Board of Directors. Remember, many of these people are often in retirement (or near retirement), and IT security means antivirus (if you are lucky). Having a good organized framework provides that same communication medium that enables a productive conversation with our technical staff. Its beautiful to begin to see alignment between the Board, the “C” suite and the team executing the plans. BTW, I found the Council on CyberSecurity's Top 20 Critical Security Controls as a very helpful framework. Its kind of like Generally Accepted Accounting Principles (GAAP) in that it helps define what is good and also prioritizes good vs. better. In summary, defending against cyber-attacks is hard work, the journey is long with many detours and kinks and the road. There are no "Easy Buttons." Also, each person and company’s experience is certainly different, but I believe having the three keys listed above will help reduce that frustration.
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].