The CFO Leadership Council conducts professional development programs with the goal of
empowering CFOs across the globe empowering them to make better strategic IT decisions.
As part of this I was moderating the seminar titled:
Cybersecurity Resilience and Best Practices for Fraud Prevention - Why should a CFO care
and what can they do about it?
Dr. Willie E. May, National Institute of Standards and Technology (NIST) and many leaders have
often stated that "Cybersecurity Is Not Just an IT Issue, IT Is a Business Risk." Because
financial executives are quantitative by nature, so I would like to put the cost of Cybercrime in
context:
Per CNBC: Cybercrime costs the global economy $450 Billion
Forbes: Cybercrime costs projected to reach $2 Trillion by 2019
Here are a few relevant points for the broader cybersecurity community, CFOs, and the boards in
most industries and organizations of all sizes.
A) When performing Risk Analysis and Risk Management, ask these questions:
Which assets, digital and physical, is the organization trying to protect?
How is the data classified? And how is it treated differently?
Where is the risk?
How could that risk change over time?
After these questions are answered, then identify where to begin. Too many companies attempt to
“protect everything” and wind up “not” protecting much at all.
Choosing an Intrusion Detection System that best suits the organizational needs is critical.
The options available are:
Network-Based intrusion detection system
Host Based intrusion detection system
Blended option (RealSecure type systems)
Three things to consider when choosing an Intrusion prevention system (IPS) are:
Detection capabilities
Context understanding
Threat intelligence use
Follow all other steps, just as when any other mission-critical technology is acquired.
B) How to reduce the chances of a hack and steps to take when there is a compromise:
Have multiple levels of authorization.
Reach out immediately to the financial institution (if the finance systems are comprised.)
Documentation of every process is important.
Training is critical – specifically against several social engineering attacks (Pretexting, Quid
pro quo, Tailgating, Baiting, Water holing, Diversion theft, Phishing - Phone and Spear phishing.)
Do not shame or punish when someone opens a malicious link. Use it as a teaching moment.
Create a culture where employees are not afraid to share what they did.
Do not shame or punish when someone opens a malicious link. Use it as a teaching moment.
Create a culture where employees are not afraid to share what they did.
Acting immediately when breached minimizes the impact on the business and the customers.
Want ROI? Act fast. Contact the law enforcement authorities.
A cyber break is like quicksand. One doesn’t realize that the next step taken could sink.
Pay attention to the Business Email Compromise (BEC). Often companies are attacked
through email by exploiting the target to allow malware or wire fraud.
When developing technology, most designers/engineers use test-driven development (TDD.) and
similar TDD policies in cybersecurity to enhance the posture.
1. Test
2. Measure
3. Improve
4. Tabletop test
5. Monitor progress.
6. Simple clean up. Delete inactive/duplicate data.
F) How the staff, CFO’s, and the board can enhance the cybersecurity posture?
Cyber security involves Process+ People + Technology. Be engaged, ask questions, document,
and follow-up. If C-suite is not versed with the latest threats or not aware of which questions to
ask, work with passionate consultants whose industry expertise can fill in the gaps.
If small-to-medium (SMB) size companies CFOs are dealing with a lot of in/outbound financial
transactions they should shop banks for security tools with support available and ask the staff
where they can avoid reinventing the wheel?
COST MATTERS
Executives almost immediately ask about cost of such best practices. A thorough and well
implemented security plan don’t need to be exorbitantly priced.
Can you find consultants who combine excellent work at a reasonable cost? It’s not easy to find
cybersecurity/business technology consultants with the needed industry expertise who can also
easily prove the ROI. Instead of a typical consultant model with “ideas” only and no
“implementation”, they are the ones who work relentlessly to solve the problems with passion
rather than a desire for a quick contract.
My IT and business advisory processes have been honed over the past two decades across the
globe in a variety of small, medium and large enterprises and assisted in expert decision making
around “partner,” “buy” or “build” decisions to enable business strategies. I served in leadership
capacities at a range of companies including TechVelocityPartners.com, Cox Group, CUNA,
IBM Corporation, Corcoran Real Estate, Blue Cross Blue Shield, Global Healthcare
Rehabilitation and more and responsible for strategy, innovation, corporate growth, operations,
P&L, and product management.
I have observed that some departments view their role as supporting the objectives of a cost
center (overhead.)
I focus on:
2) Using IT as a means to attract, keep, engage employees and customers... while generating
sales, increasing profitability and satisfied customers guided by the "Rotary 4-way test."
Are you prepared to accelerate the business success by transforming into an omnichannel
digital enterprise, for a better long-term marketplace position?
Are you confident that your IT advisors are helping you exceed your business goals?
Are you satisfied in the way your company calculates ROIT (return on IT spend)?
Are you sure when a new product or service is developed, the TCO (Total cost of ownership)
is reduced, and the ROIT is improved?
Panel members:
Chris Veltsos @DrInfoSec - Risk and Privacy Strategist, Minnesota State University
Damien Riehl, Vice President, Stroz Friedberg; Doug Underwood, Risk Advisory Principal, RSM
Kyle Mekemson, VP Global Treasury Solutions, Bank of America Merrill Lynch
Feel free to comment on your experiences in uncovering/ thwarting cybersecurity threats and
risks.