Can CFOs Help Prevent Cyber Attacks?
Today, 2,000 chief financial officers (CFOs) at corporations around the country will get a copy of an action guide that will help them deal with cyber attacks. Not chief security officers or chief information officers, but chief financial officers. There's a reason for that choice.
Despite the highly publicized losses due to a data breach at TJX, where 94 million records were compromised, plus several other breaches since, hackers keep on penetrating defenses at organizations.
"We believe cybersecurity needs to take a much higher priority in the overall thinking and budgeting of organizations and one way to do it is by relocating the focus of control from the IT departments to the CFO," Larry Clinton, president of the Internet Security Alliance (ISA), told InternetNews.com.
That's because "organizations will only invest in and sustain appropriate cybersecurity measures when they believe it's in their best interest, and we believe it's in their best interest when they address it on an economic basis," Clinton said.
The booklet, unveiled at a press conference at the National Press Club in Washington, D.C., contains 50 questions CFOs must ask and sample charts to help them calculate the probability and severity of financial losses from both risk actions and the actions taken to mitigate them.
The booklet is issued by the American National Standards Institute (ANSI) and ISA and is available for download free on the ANSI Website.
Go for the money
It also contains a list of standards and reference documents to help CFOs develop comprehensive risk management frameworks. Organizations "have to look at cybersecurity from a fully functioning enterprise basis," which means representatives from every department, including the legal, human resources and public affairs departments, should help develop a cybersecurity plan, Clinton said.
"We see many corporations are cutting their security budgets, and we don't think most organizations are organized well enough to truly appreciate the value of their information security systems," Clinton said.
The booklet was developed after a year of work involving four workshops and "numerous conference calls and exchanges of documents interspersed between the workshops," Clinton said.