Austin Clark considers why cybersecurity and the upcoming GDPR deadline should be embraced – and viewed as an opportunity by financial leaders
Cybersecurity is big news at the moment. A seemingly endless stream of high-profile breaches have hit the headlines, while the May 25th GDPR compliance deadline has focused attention on data and the way it’s stored and handled by organisations of all sizes.
However, despite the financial and reputational damage caused by cybersecurity breaches and the increased penalties coming into play with GDPR, too many organisations are still failing to take cyber security seriously. And it seems that much of the problem can be laid firmly at CFOs’ doors.
A survey of 2000 enterprise CISOs conducted by LTM Research found that 59% of respondents find it difficult to receive funding for security initiatives; and 70% of them are concerned about undetected breaches. So, the CISO is charged with the task of protecting a company’s crown jewel assets from internal and external threats, but doesn’t have the resources needed to fully implement the solutions and team needed.
And that’s a worry — just ask Yahoo how much a data breach costs. The price of its acquisition by Verizon dropped by $350 million due to significant data breaches. And that doesn’t include the class action lawsuits that are starting to pop up.
One of the biggest assets any business has these days is its data, and just as is the case with any other asset, CFOs have a duty to protect it and understand the potential financial impact a data breach can have. It needs to be seen as an extension of enterprise governance, risk management, compliance, and control activities. Relevant resources need to be made available — and that means reconsidering relationships with CISOs, data protection officers and other cybersecurity professionals.
By teaming up with CISOs to address the cyber exposure gap, financial leaders can gain a stronger understanding of the exposed surface between known threats that are addressed and those that aren’t, either because security tools are inadequate or threats are flying under the radar – or protection is underfunded. The wider the gap, the greater the risk of incidents that will cost in terms of clean up, lost business, and declining stock value.
The good news for CFOs is that there has never been a better time to take a look at cybersecurity and how they interact with business processes – thanks to GDPR.
While the penalties are worthy of a CFO’s attention – fines for consumer data breaches can be as high as €20m or 4% of annual turnover, whichever is greater – the far-reaching regulation represents a wider opportunity to transform the way data is handled and managed from a risk and compliance perspective. It’s also a great opportunity to accelerate an organisation’s digital evolution journey, and address GDPR compliance requirements along the way.
It’s worth pointing out here that, while data tends to grab the headlines, governance is an equally essential element of the overall GDPR compliance programme. In fact, approaching half of all articles in the regulation are related to business procedures associated with policies, controls, record keeping, and accountabilities of different roles and entities.
The finance organisation therefore has a crucial role to play, which can be achieved through further partnerships – compliance and risk teams in particular, need to be collaborating closely with other stakeholders such as IT, security, internal audit, and legal departments.
Further good news for CFOs comes in the fact that investment in security pays for itself. Figures released earlier this year by the UK government revealed that nearly seven in ten large companies identified a breach or attack, with the average cost to large businesses of all breaches over the period being £20,000, and in some cases reaching millions.
Add in the fact that a 2016 report by Centrify found that on average over the past 2 years, firms that invest more in IT security experience 6.8-times fewer breaches and save more than $5 million — it’s clear that spend on cybersecurity is a sound investment.
And that investment needn’t wipe out IT budgets — if cybersecurity measures are effectively channelled and budget is spent wisely on measures that automate risk assessments, for example.
According to Gartner research, secure organisations can sometimes spend less than average on security as a percentage of the IT budget. In fact, the lowest-spending 20% of organisations are composed of two distinctly different types of organisations:
- Unsecure organisations that underspend
- Secure organisations that have implemented best practices for IT operations and security that reduce the overall complexity of the IT infrastructure and work toward reducing the number of security vulnerabilities.
Overall, the requirements of the GDPR and wider cybersecurity can serve as a useful accelerator by helping to channel resources into the right areas. Instead of thinking of it as an unavoidable cost, consider it as a valuable investment in your digital future.
Austin Clark is a digital transformation and cybersecurity journalist