The CFO’s Role in Cybersecurity

By Richard Nathan  |  September 5, 2017

In an age when cyberattacks are more of a guarantee than a possibility, safeguarding your company from digital threats requires all hands on deck. As a CFO, how can you ensure that your business is prepared to mitigate and respond to these threats?

Marks Paneth brought business and technology experts together to answer that question at the first session of our Long Island CFO seminar series this summer. Long considered a concern for IT professionals alone, cybersecurity is becoming more complex and burdensome as the attacks grow in sophistication and frequency.

I had the privilege of joining Daniel Tigar, Managing Director and Head of Enterprise Security at Citigroup Inc., and S. Gregory Boyd, Partner and Co-Chair of the Privacy & Data Security Group at Frankfurt Kurnit Klein & Selz, to discuss this topic and provide some insights and action items for CFOs to address cybersecurity concerns at their own organizations.

Understand who is responsible for cybersecurity

The simple answer is: everyone. From the CEO down, all members of the organization must accept and adhere to the cybersecurity policies and procedures put in place.  While some responsibilities will need to be delegated to outside vendors, never consider your own company unaccountable for their protection of your data. When a major breach occurs, it will be your company’s name in the headlines and on clients’ minds, not the vendor’s.

Confront your misconceptions

A common assumption is that data security and privacy have everything to do with IT and nothing to do with anyone else in the organization. This dangerous position conveniently lets leadership “off the hook” while giving your IT department free reign to make unilateral decisions that have far-reaching consequences.

Also remember that privacy and data security are connected, but not the same. In large and mid-sized companies, it is always wise to separate these functions between the IT and risk management departments.

Determine your organization’s risk profile

Before you can begin assessing the effectiveness of your cybersecurity policies and procedures – and identifying areas for improvement – you need to determine your company’s risk profile.  A business impact analysis is a tool that can help you organize and prioritize your resources, assess your infrastructure, identify areas of vulnerabilities and determine a timeline for execution and recovery.

This analysis will provide you with a baseline on which to build your disaster recovery plan and to ensure you have the appropriate measures in place for each scenario and business function.

Practice, Practice, Practice

The time to test your cybersecurity plan is far in advance of the digital attack, not in the heat of the moment when panic sets in and time is of the essence. Develop playbooks with specific courses of action and assigned responsibilities, and rehearse them regularly with the key members of your disaster recovery team.

Backup wisely

Far from a one-size-fits-all approach, backing up data involves much more than an internal or cloud-based backup method. Most people outside of IT do not understand the intricacies of establishing and maintaining a comprehensive backup plan, which include:

  • Determining various restore points and time intervals between backups
  • Stopping the clutter – only keep what needs to be kept
  • Eliminating duplicate data – activate your backup software’s deduplication feature, which automatically eliminates redundant information, thereby reducing your data storage overhead
  • Balancing the life-cycle of data vs. expense of backing it up – develop data destruction plans and cost savings strategies

Manage your internal controls

Most hackers today are not actively engaged in trying to break into our networks. 99% of malware (malicious software) enters your system through employees clicking on fraudulent links and/or attachments. In fact, ransomware is the number one cyber threat facing businesses today. It is more important than ever to review or implement your messaging system’s ability to scan for malicious links or attachments as soon as emails are received.

While employee education on cybersecurity best practices and common tactics used by cybercriminals is always advisable, your responsibility for preventing employee-enabled breaches does not stop there. Many organizations are attacked through an employee who never should have had access to the sensitive data to begin with.

Take a careful inventory of who has access to sensitive data. Ask yourself: Does their job function require that level of access? Do they have the appropriate certification to properly handle the data? Is access being deleted when an employee leaves the company?

Even within an IT department, the entire team never needs 100% administrator rights. Choose wisely and monitor regularly to keep your internal controls in check.

Look at the Big Picture

The overarching concept here is accountability. Without it, you’re a prime target for a cyberattack. Everyone at the company needs to be held accountable for their part in the cybersecurity process, but this won’t happen unless the C-suite leads by example and enforces the policies and procedures put in place. 

If you run into resistance from IT or other members of leadership – and you most likely will – remind them that a firm-wide approach to cybersecurity is at the heart of business growth and success in today’s digital landscape.  Clients expect it, prospects demand it, and cybercriminals are stopped by it.

Please click here to download a list of common policies and procedures that can be implemented to help safeguard your business against cyberattacks, courtesy of Marks Paneth LLP and Tailored Technologies LLC. For more information, please contact Richard Nathan, Principal at Marks Paneth and President of Tailored Technologies, at rnathan@markspaneth.com


About Richard Nathan

Richard Nathan Linkedin Icon

Richard Nathan is a Senior Consultant at Marks Paneth LLP. His areas of expertise encompass management consulting, including financial and operational software selection, business process improvement, technology assessment and project management. He also provides IT advisory services and business continuity planning. Additionally, he counts the nonprofit sector and the real estate industry as areas of specialty. Mr. Nathan has presented before many associations and professional organizations, including the New York Association of Association Executives, the... READ MORE +


SUCCESS IS PERSONAL Click here to learn more about our brand