IT Security: Getting the CFO Involved

by Sonal Desai    Oct 24, 2008

October 20, about 2,000 chief financial officers (CFOs) across Washington got a copy of an action guide based on the annual economic impact of cyber attacks on businesses.

The American National Standards Institute (ANSI) and the Internet Security Alliance (ISA) released the guide will enable CFOs deal with the cyber attacks. The document provides guidance to CFOs and their colleagues responsible for legal issues, business operations and technology, privacy and compliance, risk assessment and insurance and corporate communications. It is organized in a question-based format, which makes it applicable to virtually any industry and any set of business circumstances, according to an ANSI press release.

Back home in India, the question whether CFOs can help prevent cyber attacks drew a mixed response.

Sumit Chowdhury, CIO, Reliance Communications equated the proposal with that of an insurance policy, where security is paramount. One needs to calculate the risk involved, and modeling that risk is the joint responsibility of the CFO and the CIO. “The CFO’s job is not to manage the risk, as much as the CIO’s job is to take business decisions. The CFO has to validate the business case and fund the risk adequately.”

A CFO however, should be able to judge the quantification of risk. It is a question of how much insurance is required. “Some CFOs get it, and some do not.”

The guide seems to suggest that once the decision rights lay with the CFO, he would support more investment toward security, said Madan Mohan, director, consulting, managing partner, Browne and Mohan. “In fact investments in IT security are completely dependent upon the extent to which it drives sales and growth.”

The action guide can be named as maturity of functional strategy. How? In organizations, where IT is docile, not impacting internal or external functions, there a CFO can cut budgets. On the other hand in organizations where IT drives both internal functions and influences external market players such as dealers, distributors, etc, the impact of security, and hence that of a CFO is low.

For example, Marico which is termed as a stage four IT mature company, the IT strategies drive the organization, and no efforts are spared on security or other fronts to compromise on the competitive advantage.

Said Chowdhury, “If the CFOs fail to understand the risk adequately and fund the measure, the risk can become a reality. Alternately, this decision can be influenced by CIOs who are not able to quantify and justify the investment.”

In organizations where there are large IT deployments, CFOs typically do have a role in data security. Data/information security is the CIO’s responsibility. Many companies do have a chief information security officer who ensures that data and information on the computers is safe and the CISO reports to the highest authority in the organizational structure.

“All the same, cyber attacks continue to occur despite layers of firewall, spam filters, ISO 27001 certificates. What any organizations can do it try and prevent these attacks. If hackers can hack into the data or Pentagon and NASA (both of which are the most protected organizations globally), a cent-per-cent cyber attack free IT environment is a difficult task,” said Jayesh Shah, VP corporate systems for Wadhawan Holdings Pvt. Ltd.

Awareness among CFOs about various risks involved with cyber attacks will convince him about the risks involved and hence the investment required. “Also, it is a question of brand equity and customer confidence, which no company can compromise,” said Dharmesh Mehta, security analyst at Mastek.

Many CFOs in India are currently not aware of the risks involved with cyber attacks, and hence cannot calculate the financial implications. “A CFO has to learn to look at security from a different perspective, keep a tab on the trends and business practices to mitigate risks.”

Said Mohan, “CFOs need to be educated on opportunity cost of IT availability and not just ROI calculations.”