Typically, it’s a given that companies are hesitant to spend money on things they can’t see, or make money off of. Employee engagement programs? Who needs them! Executive sensitivity training? Not unless we are forced by a lawsuit. Teleworking? We’d rather see our employees in person.
Unfortunately, in some companies, this “can’t see it so we won’t address it” blind spot includes data and network security. In a recent article for CFO, Jim Moylan, Chief Financial Officer (CFO) for Ciena Corporation wrote that a security consultant for Ciena told him there are only two types of companies in the world: those who have detected network penetrations by hackers or malware, and those who have been penetrated but have not detected it.
“A big change [in the job of today’s CFO] is actually an outgrowth of [the] “interconnectedness” of the world,” wrote Moylan. “The rising threat of attacks on our businesses’ networks and the increasing need for advanced security technology to detect and prevent them is a high priority across the global business community.”
Getting yesterday’s CFO – who may have excelled at accounting and finance but knows little of modern networking and business systems – to understand the risks is a challenge in many organizations. This is the person who controls the purse strings, but he may not understand the company’s IT requirements in any way.
“These significant changes are making it incumbent upon the finance chief to be involved in all aspects of the company’s operations,” wrote Moylan. “Many management gurus have forecasted the rise of the ‘strategic CFO” — a leader with an external rather than an internal orientation, one who thinks forward rather than backward, and one who focuses on the business first, then the financials, rather than the opposite.
Today’s CFO needs to be a leader in areas other than purely financial matters. He or she must actively contribute to business issues that might historically reside with CEO, COO, and technology functions such as those handled by the chief information officer or chief technology officer.
“The amount of money my company spends on network security is a huge multiple of the amount we spent only five years ago. And, that number will almost certainly continue to increase. The financial implications put this squarely in the CFO’s court – it’s not just the CIO’s issue to contend with anymore.”
Earlier this year, Steffan Tomlinson, CFO of cybersecurity giant Palo Alto (News - Alert) Networks, told CFO that chief financial officers need to “get educated” when it comes to cybersecurity.
“Because often, CFOs, especially of non-high-tech companies, don’t have a good framework to even ask the right question,” said Tomlinson. “And the education part of this is key.”
Tomlinson recommends that modern companies should consider breaking out information security from the CIO organization so that a chief information security officer has a direct reporting relationship to the CFO.
“When you have a seat at the table for that function, you will get more visibility and transparency into the company’s risks,” he said.
Edited by Maurice Nagle