I admit it, I am a Star Trek fan. I love especially when Captain Piccard says to his team 'make it so'. In many respects, this is what I think CFOs are likely saying to their CISOs or CIOs about data security.
Of course, you are probably asking at this very moment why should the CFO even need to take on this function. I know that when I interviewed CFOs a few years ago, they said that they worried about data security but they also said they aren’t responsible for it. Much has changed in the last two years. A recent Grant Thornton survey of 912 CFOs found that 38% of respondents identified the CFO as the position most often responsible for cybersecurity. Now to be fair, the CIO came in a close second at 36%. But this shouldn’t be a cop out because a high percentage of CFOs actually have these CIOs reporting to them.
According to Grant Thornton, an amazing 44% of finance leaders feel the most significant concern for their organization today is cybersecurity. 57% said undetected breaches were what worried them the most. Making matters more worrisome the average cost of a data breach in 2015 rose, according to a Ponemon Institute Study, to $3.79 million.
Given this, I asked Forward Thinking CIOs why security does not happen systematically. Their answers grouped into 4 categories.
- Business priority
- Lack of vision and leadership
- A willingness to gamble
- Only a necessary evil
CFO’s clearly have a role in helping their organizations—as the Apple campaign slogan says--to 'think different'. 'Good will' is an interesting place for CFOs to start. Under Sarbanes-Oxley, CFOs need to re-attest to it annually. Given this, what happens to 'good will' when you have a loss of customer data? How much could do you need to take down your existing 'good wil'l? As Yahoo has proven, the mark down to 'good will' as a result of their customer data loss can be sizeable.
Making it so
CIOs provide great guidance for CFOs trying to protect their enterprise’s data. They suggest that in contrast to the ‘big iron days’ when all data was in one place, an ecosystem approach to data security is now essential to business success. In the cloud-first, SaaS-ready era, data protection should no longer focus upon perimeters. CIOs say that effectively the entire world is now your perimeter. For this reason, you need to focus on the points of use. In a world with only virtual boundaries, you need to shift from protecting systems to protecting data. An educational CIO put it this way, 'you know those flight maps in the airline magazines? Those are our data movement maps. We have in our environment, data flying all over the place.' Today, protecting data needs to be a 360-degree conversation. It needs written policy, user transparency, and data protection. And attention 'needs to be given not to the pieces but to the whole enchilada.'
It seems clear that “making it so” means that data security needs to be viewed holistically and most importantly, given an appropriate business and IT priority. Otherwise, your enterprises is likely to become hostage to public scrutiny and income and business loss as Yahoo has shown. As one CIO put it to me, “a company's reputation is built over years but can be destroyed in minutes. Information security is business critical in digital times”.