How Finance and HR Can Team Up to Improve Cybersecurity
This article was updated on June 11, 2018.
The fight to ensure data security includes far more than the tech team. Finance leaders can play an important role in cybersecurity by quantifying risks and helping their organizations better understand the threats from cyberattacks. They not only have a high level of internal and external visibility, but can also support security investments and influence every department of their organization, from IT to HR.
How Finance Leaders Can Manage Cybersecurity
According to the Ponemon Institute, a typical cybercrime incident costs a U.S. business an average of $17.36 million. While organizations are looking more to initiatives to thwart such attacks, one of the first steps to creating effective security measures is identifying risk, its probability and quantifying its impact on the organizations.
Deloitte notes that many sophisticated approaches to managing risk in the financial industry could be applied to cyber risk management. The financial services industry is already accustomed to adopting complex and complicated computer system architectures; such types of risk modeling have been in place over three decades, according to the report.
Value-at-Risk Models Could Help Quantify Risks
According to Deloitte, the Partnering for Cyber Resilience initiative has framed a value-at-risk (VaR) model, which is widely used in the financial services industry, and believes it has the potential to serve as an effective cyber risk measurement tool for decision-makers. Often used for information security, VaR models offer a foundation for quantifying information risk and provide structure in the quantification process. This modeling measures the amount of the potential loss, the probability of the loss and the timeframe in which it could happen.
A VaR model for cyber risk can help put the risk in financial terms and enable business executives to make cost-effective decisions that achieve a balance between protecting the organization and running the business. Organizations can consider things like the frequency of attacks, security trends and how particular attacks could penetrate their systems and quantify the potential impacts. A business can embed a cyber VaR across its risk management framework to reinforce its cybersecurity program with continuous engagement and support from senior management.
Partnering With HR and IT
Within an organization, finance leaders can play a strong role in cyber risk management because many are already familiar with modeling strategies like VaR. Deloitte reports that 97 percent of finance leaders believe cyber attacks are a significant threat to their organizations — yet only 10 percent are well prepared for such an attack.
Finance leaders can take a stronger role by tracking the information that leaves the organization, where it's going, who's accessing it and what software is being used. Grant Thornton notes that finance leaders can work with HR as a change management partner, communicating to the organization in partnership with IT. Financial leadership can also encourage HR to approve and enact data protection policies, help find where employee security practices may be lacking and enact more effective training and education.
Taking the Lead and Setting the Tone
Finance leaders can serve as stewards of security awareness and educate board members on the importance of protecting sensitive and confidential information. According to Grant Thornton, they can also directly bolster security by advocating for investments that promote security, reduce risk and foster long-term growth.
Financial executives can set a tone of awareness and responsibility throughout their organization and can delegate, approve and oversee security. They can help take the lead on driving security initiatives by setting up a team or task force that includes members from finance, IT and legal departments. From there, clear goals and risks surrounding cybersecurity can be laid out, leading to a greater understanding of what types of resources would be needed across the organization.
As organizations face the rapidly growing threat of cyber attacks, they can help reduce risk by fostering collaborative relationships internally. With security experience, risk analysis and the ability to affect chance, finance leaders can lead the charge to more cyber resiliency.
