A recent article in CFO, written by Joe Oleksak, advises that, with cyberattacks becoming more frequent, now is the time for CFOs to shore up their cybersecurity programs and strategies.

“Business leaders are coming up against the precipice of what might be the most significant challenge they face in 2023 and beyond: increasingly frequent and sophisticated cyberattacks devastating to business,” Oleksak writes.

“Every business is now a potential target from the smallest to the largest,” he adds. “Therefore, it’s a critical time for CFOs to engage with every department to strategically invest in cybersecurity across the business as your current strategy is likely no longer adequate. As hackers and technologies evolve, so too must your engagement with how cybersecurity is delivered across your organization. “

Historically, cybersecurity has assumed the purview of IT, while the reality of cybersecurity is much more complex and pervasive. While IT can manage and solve many risks, every leader in an organization has a role to play, from governance, legal, compliance, public relations, human resources, etc. So does every third party including your vendors, suppliers, contractors, service providers, and customers. So, it’s not only about technology, but people and processes as well.  

Simply put, cybersecurity is like a tree with a complex root system. To stand tall and firm, it must reach into every corner of the business, rooting itself in your “cybersphere” (every department and employee, extending to vendors, suppliers, contractors, and customers). It’s complex, to be sure. Still, there are ways for CFOs to keep it simple.   

Three overarching questions every CFO should be asking in their role as a guardian of organizational resiliency include:

• Are we protected from cyberattacks?
• What more can (and should) we be doing to protect against cyberattacks?
• How can we ensure our business has the resources it needs to face looming cyber challenges head-on?

According to Oleksak, when determining if your organization is protected, CFOs should expect cross-departmental, plain-English answers to discern effective controls from potential weaknesses and root-cause issues within your cyber sphere. That means not solely valuing IT’s opinion of their ongoing efforts to secure the organization but holding accountable all third parties to their role, and seeking insights gleaned through independent assessment of your organization’s threat landscape and corresponding control environment. The input from IT combined with assurances from your third parties — and results from your independent assessment of both — will clearly highlight the answer to this question. 

“In truth,” he says, “the pervasive nature of cybersecurity makes it incredibly difficult for CFOs, chief information officers and other organizational leaders to identify what else they should be doing to protect their companies. So, just as accountants shouldn’t audit their own work, you need to seek objective intelligence that either confirms the direction of your cybersecurity efforts or adjusts it to achieve long-term resiliency. The key to cybersecurity is to invest in understanding:

• “What” the company has.
• “Where” the company has it.
• “Who” can access it.
• “Why” someone would want it.
• “How” the company is controlling it  .

Oleksak advises that “these questions should be assessed across your cybersphere to identify immediate, near-term and long-term strategies for addressing known and unknown weaknesses. This isn’t the time for bravado but for candor and collaborations that marry people, processes and technology throughout your cyber sphere. After all, the best firewall in the world is useless if hackers can circumvent it by targeting busy people, permissive processes, or unaware third parties.”

For more, check out CFO Cybersecurity Strategies: How to Protect Against the Rising Storm.