​7 Questions to ask your CFO to get more Cyber Security Investment

CISO Interview Series:: Leon Fouche, Partner: Cyber Security and Technology Risk, BDO in Australia

Many organisations are embarking transformation journeys to reshape their business and move into digital. Do you see them understanding the importance of Cyber Security in that change?

There are various levels of maturity in the market. On the one end you have organisations that understand that information is an asset that needs to be appropriately protected. These organisations tend to have well established internal risk management strategies and processes that will assess the risks of adopting and implementing new technology and guidance on how to mitigate these risks.

Then on the other end of the spectrum you have organisations who want to be innovative and first to market, but who sometimes lose focus of security. These organisations are likely to be more focused on the digital solution and often consider security late in the cycle (i.e. security is built in and not designed in).

Finally in the middle are often the ‘followers’. These are organisations that feel they might be missing out on an opportunity because they don’t have a service offering and rush in for a solution. Unfortunately, this means they may not give enough attention to the associated security risks.

Leon, you work with many CIO and CISO’s. When you think about the ones that you really rate – what are the attributes that really count?

The really great CIO and CISO are those that understand that information is a business asset. They also understand the strategic threats in their industry and their business. At the same time have a good relationship with the Board and C-suite of their business.

Their personal manner is both innovative and proactively works with business to achieve outcomes. I’ve also noted that they don’t take the position of “no-that-can’t-be done”. There is a ‘can do’ attitude and they are definitely not to a “door mat”.

Also they tend to understand the business and supply chain and what the risk exposures are within each component of the supply chain. And have an industry/market presence and actively participate in industry

(A great example of a professional that I really rate is Mike Burgess from Telstra)

As organisations move into the cloud and into effectively hybrid environments what’s your view on managing these threats? Surely the risks are higher and the skills required are increased??

Yes. That is correct. It is important for organisations to understand that using the cloud does not mean they have “outsourced” their risks and that someone else is taking care of it. The risks and their treatment remain their responsibility.

Organisations must have a true understanding of the whole IT services supply chain and what the security risks are within that. With that in mind, it is important to have a good understanding of what I refer to as CIA (confidentiality, integrity and availability) within the IT services supply chain.

It is also important to know who is responsible for each service component – especially in a hybrid environment where service delivery is shared. Plus organisations also need to invest in getting contract and partner management capability.

Most organisations do not invest enough in Cyber Security. When you talk to CFO’s what are the questions that you ask to try to convince them that they need to reconsider this position?

The dialogue would be a series of questions and clearly I would be watching for body language and the CFO’s responsiveness. I would start by asking:

  • What is your most valuable asset in your business? If IT systems and corporate information is not in their response, I always ask why not?
  • Do you know what the financial and reputational impact will be if normal business operations are interrupted by a cyber-incident?
  • What strategies do you have in place to recover from a cyber-incident? When was the last time you tested this?
  • What level of insurance do you have to cover for business interruption? Does it cover cyber incidents?
  • Do you know what your competitors are doing in this space?
  • How much of your business spend is allocated to cyber security and can you measure the return on investment? If not, do you want to?
  • Do you understand the regulatory environment and how that could impact your business if there is a cyber incident?

Give it a try, this approach has worked well for me in the past.

What’s your view around the awareness of boards of the risks of Cyber Security in enterprises - is enough being done to educate them?

There has been some good progress here and we are seeing more boards now starting to discuss cyber risks within their organisation.

The Media has played a role in this education process. For instance leading up to G20 in 2014, the local media regularly reported on cyber risks and impacts, which helped the Queensland business community become more aware of cyber risks. Then there is a role for Risk and Audit Committees to play in doing more to educate the board on cyber risks within their business.

We also find that Non-Executive Directors who sit on multiple boards help with the education process. Despite this, there appears to be a general lack of awareness amongst boards about their liability in regard to cyber-incidents and this is no different to their traditional statutory responsibilities.

Overall there is more work to be done to get Boards to shift from just awareness and education into action – with a commitment to ongoing assessment, remedy and assurance of cyber risks.

When I think about two-speed IT (Run IT and Change IT), both come with different threats and opportunities. What’s your view on managing this?

For me the Social networks, the Internet of Things, big data, amongst other things, are “business disruptors” that organisations will need to consider/assess in line with their business strategy and planning to determine if and how they adopt them.

These will likely introduce new threats and opportunities which organisations need to assess and understand these will impact their industry, business, staff and customers. Thus it is important for organisations not to lose sight of the basics – remember that information is an asset and it needs to be appropriately protected (think CIA approach) anywhere and anytime.

Thus, with this in mind, the same risk management principles apply – have a good understanding of your risks, consider how they measure up against your risk appetite, and put plans in place to manage this or bring the risk back to a level you are comfortable with.

I’ve been writing recently about managing threat to critical infrastructure. What’s your view on how mature is the Australian environment?

Firstly my view is that critical infrastructure is defined as what government describes as assets central for functioning a society and economy. The critical infrastructure operators in Australia are growing in their understanding of the cyber risks within their industry segment and environment.

However at the moment, Australia doesn’t have firm cyber security industry standards that critical infrastructure providers need to adhere to, such as NIST. The Australian Cyber Security Centre recently released its first public report on the threats to critical infrastructure operators and industry sectors. This means there is just now a wider awareness of the cyber threats within the different sectors.

Infrastructure operators are now in a position to work through these threats as part of their strategic cyber planning activities – many has already started working on improving their cyber resilience.

The Banking and Telecommunications sectors are the clear front runners and utility operators, that is Electricity & Water operators are lagging behind the rest. This is mainly due to the geographical spread of their Industrial Control Systems (ICS) systems and how these integrate back into corporate networks.

Read more: The Failed Promise of New Cyber Security approaches.

Let’s remember that the other challenge within this sector is that legacy ICS systems were designed for high-availability with limited focus on security. Newer ICS systems have better security, but it will be a while before these are implemented.

In summary, some sectors are more matured that others but a lot more needs to be done.

Tags riskthreatsCISOsCFOsThe CloudOutsourcedNISTCyber riskThe Internet of Things (IoT)

Show Comments