“As CFO, I need to lead the company in making risk decisions that balance productivity and flexibility without significant risks to the company image.”

–Fortune 500 CFO

Security is no longer just a function of the IT department. Information Security has become a business enabler. Due to ever increasing compliance requirements and the risk of negative exposure, executives and boards are now considering security a vital aspect of any successful company. Compliance requirements such as SOX and PCI have increased the awareness of the CFO to a greater level. As a member of the organization’s information security team you must understand how to speak the language of your financial officers. Begin by understanding that a CFO’s primary concern is financial security. Risk presents the greatest uncertainty to an organization’s bottom line.

What Is Meant By Risk?

From a financial standpoint, the following formula is a very simple example of determining potential loss. Understand the value of an asset (V), and the likelihood of negative asset exposure (L), multiply the two. The result is the annual loss exposure (V*L=E), or in other words, the potential financial risk. According to the 2006 Ponemon Institute Cost of Breach Study, the average data breach is costing 4.7 million dollars per incident. Worded more conservatively Gartner (News - Alert) stated that “a realistic figure for a mid-range breach of tens of thousands of accounts will be in the range of $90 to $100 per account.” Even without an immediate major breach; considered as a significant ongoing risk over several years, the responsible CFO recognizes this as an unrecorded loss every year. If a company has a security incident, it is an ever-growing debt that may come due all at once. The annual risk exposure (ALE) represents a reasonable investment in reducing the chances of such an event.

Threats are increasing and risk is higher than ever. Without the knowledge of your company’s asset value or exposure risk you are unable to make critical strategic investment decisions.

Many companies view compliance requirements — whether government mandated such as Sarbanes Oxley or private initiatives such as the Payment Card Industry (PCI) standards as burdensome and costly. The truth is, however, that these requirements help quantify the formerly-vague: PCI, for example, sets forth a clear and quantifiable risk-related cost: up to $500,000 per incident for a merchant or service provider, which has not met compliance requirements at the time of an incident, or worse removal of the right to operate as a credit card vendor. Armed with significant and concrete figures, the CFO is in a position to calculate an ALE for their company that cannot be ignored, and to use these figures as a clear argument for risk-remediation projects. With the establishment of recent regulations, security failure may mean criminal action. Boards are making security a priority and so are an organization’s chief financial teams.

Reputation

Consider another example impacting your bottom line. A CFO of a Fortune 100 company articulated the concern. ‘We are in the business of outsourcing. We house sensitive data about our clients and their customers. Much of that data involves financial transactions. Despite our best efforts to secure our data, our systems experienced a major breach a few months ago. While we have resolved the issue, my confidence level in our security is very low. Worse, I fear that the word of the breach will soon go out. If that happens, not only will I lose some of my existing customers, but my competitors will have a field day with this information. I run the risk of losing a major market share in my business.’

If your business is not secure it can inhibit your ability to meet your critical success factors^.As discussed, data loss due to privacy violations, theft, or disclosure of sensitive information, interruption of service, and legal penalties can dramatically damage your organization’s reputation and ultimately your profit statements.

When approaching the CFO, always remember the key primary areas of concern are regulatory compliance, risk, cost, and return. Be prepared to respond to the question “How much will this cost?” “What is the return?” The return will often be in risk reduction and increased compliance rather than quantifiable increases in profits. Address the priorities of the organization and the impact of non-action.

Reviewing the previous examples allows for a clear understanding that an organization must operate with the highest level of efficiency and flexibility in its approach while increasing revenue and decreasing risk. Imagine the impact to online banking or the ATMs if sensitive information such as PIN numbers or account information were disclosed? In another scenario, would you feel comfortable knowing that your private health information could be leaked?

Next time you are in a conversation with a CFO ask the following questions…

Compliance:

What do you think of the Sarbanes Oxley amendment and its impact on your company?
How much is SOX costing you? How successful have you been at becoming compliant?
Does your company handle credit cards? Is it subject to PCI compliance?
How much are your compliance efforts costing you? How successful have they been?
Are you subject to the HIPAA, FFIEC, GLBA regulations, to name a few?

Threat:

Have you had a security breach?
Did it become public?
What would you do if your IT director reported to you that a security incident was underway?
Do you have any plans to control how news of such an incident would be communicated to the public? To the Board?
What is the impact on your company reputation if a breach occurs?

Mitigation Strategy:

What independent external audits have you undertaken to confirm the security measures taken by your IT team?
Would you allow a year or more to go by without a financial audit? Do you agree that the same principle should apply for a security audit?
How do you protect transactions and customer privacy?
How does your company protect its critical assets?
Does your organization have the appropriate solutions and tools in place?

Implement only those safeguards that are needed to enhance your organization’s business needs. Understand that information resources are essential enterprise assets. Link policies to business risk. Promote awareness and hold people accountable. As you discuss a best practices approach to mitigating risk, a few key strategies may mean the difference between reactive revenue draining or increasing return and enabling the business.

Rachel Kahn is a Vice President of Sales with Entrust (News - Alert). Ms. Kahn is certified in several areas including information security, project management, and information security leadership. Ms. Kahn can be reached at rachel.kahn@entrust.com.

[ Back To TMCnet.com's Homepage ]

Discussions: