How can CFOs ensure cybersecurity delivers value?


Stephen Kreusch explains that cybersecurity is becoming less of a cost centre in data-centric organisations.

Cybercrime is a unique challenge and a growing headache for CFOs. A cursory search on the topic reveals dozens of major examples from recent months and years, instigating Transnet's force majeure and the US shutting down a major oil pipeline. Laws reinforce the need to take cybercrime seriously – regulations such as the Protection of Private Information Act (POPIA) underscore managing data securely and threaten fines and jail time if security isn't handled to a satisfactory level.

Yet cybersecurity is becoming less of a cost centre and increasingly helps shape the foundations of data-centric organisations. Companies and their people want data on tap. It makes them much more effective, yet comes at the significant risk of attracting online criminals. That risk has increased substantially since remote working became mainstream.

CFOs and their teams can appreciate these dynamics. The CFO role associates well with technology and data – for example, enterprise resource planning (ERP) systems are fundamentally financial in purpose. Financial teams are among the most prolific adopters of analytics dashboards and process automation.

The CFO is also the gatekeeper of costs – and cybersecurity is a particular rub in that regard. Security is expensive: larger enterprises spend millions annually on security, and the costs of a successful breach are often even higher. Financial damage through business disruption, IP theft, and forensics to track and repair the carnage left by criminals are staggering – an average of $8 million, according to the Ponemon Institute.

Given all these factors, CFOs are well-positioned to help their cybersecurity be effective in both performance and cost.

There are two things every financial executive should know about cybersecurity. First, if you wait until something goes wrong it will cost you much, much more than taking precautions. Second, digital security is an asset that delivers value when it's well integrated with the business and sweated appropriately. Most breaches occur because security environments are bloated and poorly managed. The same is often the case for quantifying the costs of digital security.

People and processes
This does not mean security people aren't doing their jobs. Instead, issues arise when companies treat cybersecurity as a procurement exercise and not an advantage powered by people.

There's a massive human factor in security. The biggest security investment a CFO can support is making sure that they prioritise security teams. People first and things like security technologies and controls come second.

This advice has a caveat: every business and sector has baseline security costs related to factors such as the type of data they use, how fast and widely the data moves across the organisation, and any sector requirements, including legislation. For example, banks leverage large amounts of sensitive customer data and adhere to many security-related regulations. It's important to understand those requirements and their costs.

Yet once that baseline is in place, the next step is rarely more technology. Cybersecurity features are often baked into modern technology systems. The challenge instead is how to combine and run these effectively. When criminals breached the US retailer Target in 2013, its security systems generated alerts. But there was insufficient staffing to investigate the problems. This oversight ended up costing Target $292 million.

A motivated and skilled security team can do more with poor security technologies than an inexperienced team can do with the best and most expensive technologies.

Providing the space to manage processes is as important. Automation is a crucial part of highly-effective cybersecurity. Yet many organisations cut corners by bringing in security technologies without understanding their process design needs.

What tends to happen is that security teams purchase flashy products which ostensibly make them more efficient and effective. But if they're trying to automate processes that they haven't actually defined, they end up automating a mess. This is quite often what we see out there.

Sweating value
CFOs thus must look for the value of cybersecurity in terms of security teams and how they leverage security systems. This approach doesn't remove the question of cost. Cybersecurity remains expensive, but there are ways to reduce that expense by generating value. The trick is to not focus on bargains.

CFOs should push back on things like price and value. But don't go with the cheapest security solution unless it's one of the better solutions. Cheap can mean more costs down the line. Security teams evaluate five or six solutions, and then they go with options based on price. What happens is when they get breached, they spend more time and money resolving the breach than they did on the original security solution.

It's essential also to evaluate if internal security skills are being put to their best use. Often there are security tasks that could be outsourced to managed security service providers, freeing up internal security staff to focus on areas such as security strategy and design, aligning those with business requirements. But if security and the business keep a distance from each other, security will become more costly without any clear value destination.

It's all about your security being operated and run effectively. You can end up buying these great security solutions, but then they're not integrated or running correctly. You're paying 100% of the price but only getting 20% of the value. Collaborate with your security officers and pay close attention to their teams. Don't look for that technology silver bullet to beat back the criminals – it doesn't exist. But if you enable your security people to use their skills and weave security features into business tools, you can reliably access data and applications while keeping security costs under control.

Related articles

Why social impact is a critical issue for CFOs

With South Africa among the bottom 20 percent of countries when it comes to social impact effectiveness, Kearney experts unpack how CFOs can align purpose with profit to improve the “S” in their ESG impact.

CFOs should be Road Runners, not a Wile E. Coyote, says Ray de Villiers

Future of work guru Ray de Villiers says that, as the role of finance teams changes due to generative AI taking over their number-crunching responsibilities, it’s up to CFOs to make sure their people understand what the new future will look like, and the power they have to impact it.

How to be an optimistic CFO in 2024

The CFO Centre’s Rowan de Klerk reveals how CFOs can remain optimistic in the new year despite the challenging business environment South Africa is in.