By Drew Del Matto, CFO at Fortinet
When a natural disaster hits, communities are often caught off guard and have to rush to come together with supplies, shelter, and protection from the harsh realities of Mother Nature. More often than not, these communities didn’t anticipate the disaster and therefore are operating in reactive mode to get the adequate supplies, operations and finances in place to protect people and rebuild communities. If they had planned ahead, the trauma of the disaster would have been mitigated and controlled more quickly.
The same reality can apply to an organization that experiences a security breach. CFOs and Board members are always keeping an eye on costs and are focused on proper budgeting and spending to meet bottom-line targets. However, if a meaningful security breach happens, expense control can go out the window as companies desperately try and beef up previously lacking security defenses. Even worse, the brand is affected and top-line sales are lost.
It’s evident that the cost of cybercrime to corporations has skyrocketed, but investments in security simply haven’t kept up. The typical company only spends between 1-5% of revenue on IT security, which seems small when compared to risk of lost sales, productivity and brand damage associated with a breach.
Think back to a massive, national retail chain breach that we all heard about. Following disclosure of their security breach, the company’s sales declined and it caused the company to miss their Q4 guidance. Customers were terrified about their financial privacy, the company’s stock fell and the CEO was fired as a result. There have been many since, from medical organizations and government organizations, to all types of global businesses. Just recently an international law firm experienced an enormous breach. Each time, valuable information is lost and C-level leaders often lose their jobs or face tough scrutiny.
Today, the reality is that the majority of organizations continue to work in reactive mode. We need to step away from merely managing breaches and start working to develop a culture of security, moving out of reactive and into proactive mode.
One could argue that the role of the C-suite, and especially that of the CFO, has transformed and could very well be called the CPO – Chief Protection Officer. If you think about it, cybersecurity potentially puts a company’s finances and value at risk, challenges compliance and regulations strategies, and increases the need for mature strategies to safeguard a company’s data and overall security. A CFO as a strategic business and risk management executive should have significant oversight and guidance in these areas. They are no longer IT only considerations.
Not Just Responsibility But Stewardship
It has now become table stakes for the CFO and Board to be at the forefront of proactive approaches to security in modern organizations. Although there are ways that security staff and organizations can mitigate the damage resulting from increasingly frequent and sophisticated attacks, as the old saying goes, an ounce of prevention is worth a pound of cure.
There are more than a few naysayers who claim that the cost of adequate security is more than the cost of recovering from a breach. This is not, however, a sustainable or responsible approach. Breaches will become more frequent, attacks will become more persistent and sophisticated, and the costs of reacting to these breaches will continue to increase. Clearly, brands, jobs and share prices are all at risk.
Executives and boards of directors are, first and foremost, stewards of three separate but interconnected elements of an organization – the business itself, customer data and shareholder interests.
Stewardship goes far beyond making money or ensuring the financial success of an organization. It means caring for the long-term interest of the company and thinking holistically about the diverse stakeholders touched by the business. When it comes to security, though, the traditional stewards of the organization are not always equipped with the necessary perspective, skills, or knowledge. The wrong focus can, in fact, create a perfect storm of imperfect stewardship, in which security is viewed as a cost center rather than an essential element of risk management.
Why Security and Stewardship Go Hand In Hand
Board-level responsibility extends to data and intellectual property. If the Board is ultimately responsible, then treating cybersecurity as an exclusively IT issue is not just inappropriate but bad business.
If stewardship is about protection and oversight of a company’s assets, both tangible and intangible, then the most critical assets are data, IP, reputation, customer trust and loyalty. As we see all too frequently, poor security can undermine or destroy all of these and create a loss of value through unnecessary volatility.
More importantly, as stewards of their respective organizations, Boards and executives have a responsibility to their customers, their intellectual property, and their shareholders to ensure the safety and security of their data and systems. This ultimately comes down to thinking about security as a stewardship issue to be addressed directly by the Board.
We Can Never Eliminate Risk
We can never entirely eliminate risk. It is inherent in everything we do. Where there is profit to be made or leverage to be gained, organizations and their customers will come under fire and, as a result, there will always be attacks and attempts at data breaches. This is especially true in cybersecurity given the low cost for cybercriminals to generate a breach, the difficulty in locating and prosecuting them, and the lucrative reward of a successful breach to cybercriminals.
Just because we can’t eliminate risk doesn’t mean that we can’t manage it. This has always been a key function of the Board – assess risk and make appropriate tradeoffs to manage it, considering the impact across the organization.
Security is no different and, in conjunction with the CISO and the rest of the C-Suite, the Board must consider security versus many other factors, including cost, performance, agility, autonomy and empowerment, strategic initiatives, projects and planning, and go-to-market.
Out of IT and HR and into the Boardroom
Additionally, some of the most critical areas for consideration are policy and information governance. These are areas where the Board and senior leadership can really make a substantial contribution to an organization’s security. While the technical details can be worked out by a well-funded, savvy, empowered IT department and HR and other line of business staff can address specific elements of policy and procedure, high level decisions on policy and approach to information security needs to come from the offices of C-level executives.
As the arms race among cybercriminals, nation-states, organizations, and the security community heats up, this fundamental shift in approach to cybersecurity will not only keep the good guys one step ahead but also ensure that organizations can respond swiftly and appropriately when breaches occur. And if recent history has taught us anything, it’s not a matter of if but when they will occur.
About the author:
Drew Del Matto brings over 20 years of financial management experience and expertise in the network security market. Prior to joining Fortinet, Drew held a variety of senior management roles at Symantec including acting chief financial officer, as well as senior vice president and chief accounting officer.
Drew also served as Symantec’s corporate treasurer and vice president of finance business operations, responsible for all treasury functions, various aspects of mergers & acquisitions, pricing and licensing, financial planning and analysis, and revenue operations. Prior to Symantec, Drew held senior finance leadership roles with Inktomi Corporation and SGI Corporation. He began his career as a CPA in public accounting with KPMG LLP.