Why collaboration is the critical link in cybersecurity
Cybercriminals are increasingly targeting the Asia-Pacific region prompting calls to do more to safeguard critical infrastructure and businesses from costly extortion. Australia, Malaysia, Singapore, India, and the Philippines are just some of the countries making headlines recently, with 41% of organisations having experienced 3-9 breaches in the last 12 months. The severity is resulting in governments taking a closer look at how they can improve regulations and policies to hold organisations more accountable for internal processes and their customer data.
Today's reality is businesses need everyone in leadership roles to not only acknowledge the evolving threat landscape but also have awareness and willingness to act on cyber risk. Smart businesses know that it is not just the IT and security teams who need to be investing in cyber security; it is also the role of CFOs. So, while 85% of organisations in Asia-Pacific say cybersecurity is on their board's agenda at least once a quarter, there needs to be careful alignment between risk, allocation of cyber resources, and governance and compliance to ensure maximum protection and return on investment.
For this reason, close collaboration between the CFOs and CISOs is crucial.
Speak the business language
CFOs and CISOs can work together to align cybersecurity risks and goals with larger business objectives and translate cybersecurity jargon into the language of the business. For example, they can communicate cyber risk as a financial risk. What would an hour of downtime caused by a breach cost the business? What is the potential impact on the stock price and shareholder value? What is the potential cost of a vulnerability versus the cost of fixing it? What about the loss of sensitive data and reputational damage? Essentially, by doing this, they are better able to align investments in cybersecurity to managing risk relative to the organisation's critical infrastructure and systems.
Speaking the business language centres around risk and ROI, not threats and vulnerabilities. At the end of the day, security monitoring tools and threat intelligence can paint a good picture of the rise of cyber attacks, but they can't answer the basic question of so what?
Together, CFOs and CISOs can make sure the strategy to mitigate the risks is clear and that an investment strategy is specifically aligned to help mitigation objectives. They can work together to track ROI and adjust as required. Decisions need to be made in collaboration, striking a balance between risk priorities and effective security controls.
Understand and quantify long-term risks
Unfortunately, the C-suite can fall into the trap of viewing cybersecurity risk as binary – either a business is at risk or it is not. In fact, there is always a level of risk, but it is not about whether the risk is high or low risks anymore; it is about good and bad risks.
CFOs and CISOs need to reframe how they view risks in a way where they understand what risks can be accepted in a calculated way for their business to grow and innovate. By aligning the cyber risk matrix with the overall organisation's risk matrix through a data-driven approach, decisions can be undertaken around risk mitigation, transference or acceptance before embarking on a new initiative, and often the risks are financial in nature.
This reframing of mindset is particularly important for the C-suite and board members. While they necessarily do not need to know the specifics of how cybersecurity technology works, they need to be aware of the level of protection needed and have a backup plan in the event of an incident – because they could potentially be held responsible if their organisation suffers an attack.
Another example is cyber insurance. Cyber insurance is a tool for mitigating risks that generally covers liabilities related to data breaches, business continuity and extortion. However, some policies may not cover the loss of value as a result of intellectual property theft or the cost of upgrading software. CFOs should carefully assess its benefits and not rely on cyber insurance alone but rather implement it with a strong cybersecurity program. Doing so will be conducive to attracting good cyber insurers and may have an impact on premiums paid.
By working to shift the current mindset to one that quantifies risks and predicts the true cost of vulnerabilities, CFOs and CISOs can better protect businesses' financial and cybersecurity health. Additionally, with the CFO working in collaboration with the CISO, both will be better positioned to communicate the value of cybersecurity as an organisational and strategic imperative.
Doing more with less: how businesses can gain efficiencies in cybersecurity
As businesses face a constant onslaught of cyberattacks, the complexity of managing vendors and point solutions creates security gaps. In fact, businesses in APAC today use an average of 32 security tools and solutions and partner with 14 security vendors. And it is anticipated by analysts that cybersecurity teams will need to consolidate their vendor environments and pursue platforms that are comprehensive and scalable. This approach is one to be considered by CFOs and CSIOs to help ease procurement, management, and operations of the cybersecurity stack while reducing cyber risks and improving security posture.
Keeping in mind the looming threats of an ever smarter and more technologically advanced cybersecurity landscape – ransomware as a service model and the introduction of new tactics on the dark web – CFOs and CSOs together also need to gain an understanding of leveraging artificial intelligence and machine learning to help prepare businesses for the evolving digital landscape.
For example, Autonomous Response is significantly used to address threats without human intervention, but the need is to take intelligent action to counter these evolving threats. While organisations can ensure a baseline level of cybersecurity by implementing practices, it does not guarantee protection from newer, more advanced threats. As AI-powered attacks become a part of everyday life, businesses, governments, and individuals must turn to emerging technologies such as AI and machine learning to generate their own automated responses.
With cyber threats increasing and evolving, a strong and coordinated C-suite effort is essential. What the CFO brings into the boardroom is a unique view of the adverse impacts a cyberattack can have on a business from a financial, reputational and operational perspective. By working together and collaborating on understanding risk, strategy, budgets, leadership and CEO and board communication, CISOs and CFOs can enhance cyber posture and culture, ultimately helping better prepare an organisation for the future.