CFOs and cybersecurity – a critical link

By Niamh Hussey, Robert Di Pietro and Craig Sydney

_{Share this article}

Cybersecurity is no longer viewed as a ‘nice to have’ by stakeholders and consumers - it is seen as a necessity. Cyber has been thrown into the spotlight in recent years as the number of high-profile attacks and breaches has continued to rise, and is now a clear and foreseeable business risk. The ramifications of a cyber incident can be devastating for an organisation, both financially and reputationally, so steps need to be taken to prepare and mitigate and, in the event of an incident, respond and recover. Therefore, it is no surprise PwC’s 2023 Global Digital Trust Insights survey found 60% of Australian organisations plan to increase their cyber budget in 2023. One emerging area relevant to a subset of industries is a heightened focus on risk mitigation through improved operational technology security.

While it is heartening that awareness and willingness to act on cyber risk is front of mind, action needs to be carefully aligned to an organisation’s unique and dynamic risk profile and identified vulnerabilities. Further, there needs to be careful alignment between risk, risk mitigation and cyber budgets – upfront and ongoing – to ensure the maximum protection and return on investment.

For this reason, close collaboration between the Chief Information Security Officer (CISO), Chief Information Officer (CIO) and the Chief Financial Officer (CFO) is crucial.

Aligned on strategy

When it comes to cybersecurity budget decision making in Australia, our survey found the CEO is the number one decider (19%), followed by the Chief Information Officer (CIO) and Chief Financial Officer (CFO) (13%), and the CISO (12%).

It is understandable CEOs may have final approval of the budget due to organisational hierarchy. However, with the need for CEOs to have an overarching view of cyber and many other competing factors, there is an opportunity for CFOs to play a more integral role in this process.

For example, the CFO can work closely with the CISO to ensure that cyber risk to the business is understood and quantified, along with the financial impact of those risks, ranging from immediate financial loss, through to remediation, valuation, regulator fines, investor confidence and brand reputation and trust costs. The CISO and CFO can make sure the strategy to mitigate those risks is clear and that an investment strategy is specifically aligned to help achieve mitigation objectives. They can work together to track return on investment and adjust as required.

Functional lens

By working directly with CISOs, CFOs can take a very strategic approach to making sure budgetary considerations for different functions have a cybersecurity function ‘baked in’.

Some key questions to consider are:

If a function leader from procurement or HR is requesting new technology, is the right technology investment factored into that budget?
How can the function leaders, CISO and CFO work together to make sure they are investing in technology that meets both functional and broader organisational risk strategies and goals?
Are practices in place through procurement contracting with new parties to proactively assess and manage cyber risks and use of company or customer data?
Are controls in place to ensure there is an ongoing review and attestation on IT controls?
How is the CFO ensuring that cyber remains a focus in times of transactional and transformational change to identify, assess and mitigate new cyber risks?

Leadership role

For Australia’s C-suite, the top factor to help drive organisational cybersecurity transformation across the next 12-18 months was found to be effective leadership. Fourth on the list was educating the board on cyber risks.

With this appetite for leadership in mind, the CFO and CISO can strengthen the focus on cybersecurity throughout an organisation by ensuring there is a clear understanding of the threat, the potential impact and the budget, and that investments in cyber are making the difference and driving the uplift that is required. As a team, the CFO and CISO can help inform the CEO about the cybersecurity approach. This is, in turn, an important insight for the board.

Supporting the board

Australia’s cyber-related regulatory and legislative environment is evolving quickly. For example, reforms to Australia’s critical infrastructure regime, the Australian Prudential Regulation Authority’s (APRA’s) prudential standard CPS 234 Information Security (and proposed CPS 230 Operational Risk Management expected to launch in January 2024[1] ), mean there will be more onus on boards than ever before to ensure they have oversight of an organisation’s cyber posture and performance.

The CFO and CISO can play a key role in improving cyber-related board reporting and any compliance obligations. For example, key cyber risks associated with critical business operations and information assets can be modelled using dashboards to show the inherent risk exposure and the cyber investments have been made and in progress to bring the residual exposure to within risk appetite.

With cyber threats increasing and evolving, a strong and coordinated C-suite effort is essential. By working together, collaborating on understanding risk, strategy, budgets, leadership and CEO and board communication, CISOs and CFOs can enhance cyber posture and culture, ultimately helping better prepare an organisation for the future.