September 1, 2020
I sat down with Frank Brown, CFO of RiskSense, to hear his take on the CFO’s responsibility for cyber security, his advice to others in similar c-suite roles, and the trends he expects to see in the next ten years. Overall, his take was incredibly valuable, reiterating how important cyber education is for executives, employees, and organizations as a whole.
In a recent report we read, when individuals are asked who is responsible for cyber security, the answer was split—about 36% reported that the CFO is responsible for cyber security while 38% agreed it was the CIOs responsibility. What are your thoughts as a CFO today?
“In larger organizations, it will fall first and foremost on the CIO. He or she is ultimately charged with cyber security. As you move downstream to smaller organizations that don’t have dedicated CIOs, you’ll still have individuals in those organizations, as do we, ensuring that there is good cyber security hygiene.
“Let me put it this way, if I was the CFO of a company and I wasn’t asking who’s in charge or what we’re doing to maintain our cyber security posture, I would be remiss. I would assume that for 36% of those respondents that agree the CFO is responsible for cyber security, it’s where the CFO is already actively making sure that the organization is paying attention to this.
“But ultimately, cyber security is part of something a CFO absolutely needs to be concerned about. About a year ago, Bloomberg hosted a panel about CFOs that detailed just that—it’s not a topic or a responsibility that CFOs get to walk away from, especially because financial data and information is a key target for cyber hackers today, and will likely be the same in the future. It’s incredibly valuable data.”
I agree with you, and when we break it down to SMB vs. enterprise, that smaller organization definitely has fewer c-suite leaders and sometimes they’re hiring out some of their cyber security needs. Let’s say you’re releasing the reins, so to speak, and either hiring a CIO or seeking outside help, I would assume the CFO still needs to be in lockstep with the cyber security plan. Do you agree?
“I completely concur. Ultimately, as a CFO, I’m concerned about the commitments we’re making to our customers. When you look at customer contracts, we have to vouch, particularly in the SaaS world, but the same is true for other industries, to our ability to adhere to data privacy requirements, to our information security posture.
“I know as we’re dealing with large enterprises, almost every one of them sends over their security policy. And what that really means is, these are our security guidelines and if we become a customer, will you be able to conform with these. So the CFO definitely cares about it from that perspective.
“I think the CFO is also a key advocate with the CIO. I’m never really going to dive in and question the CIO’s choices around what tools and technologies to use, but I’m certainly going to be an advocate to put in place the right tools and technologies and wanting to make sure he or she is comfortable that we’re doing everything we can, within our budget, to make sure our customers and our business is safe.”
We know that CFOs likely don’t know the in’s and out’s of cyber security as well as a CIO, but do you agree that the trend and critical path forward is for the CFO to build up their knowledge in cyber security so they can speak with more knowledge in board meetings and with customers?
“Oh, absolutely. As a CFO there’s a minimum baseline of understanding you have to have around cyber security. And, here’s a good example—we’re all working remotely these days. What type of endpoint protection do you have? Are you running something like a corporate endpoint product like Symantec? You want to make sure all of your endpoints are protected. You want to make sure you know what you’re doing about passwords. We have password policies and really strict guidelines that we expect our employees to adhere to and we need to understand what our organization is doing around privilege management or user access management. Those are just a few, but there are five or six foundational items that you don’t have to be an expert in cyber security to know that you should be asking your CIO what are we doing about these very specific categories.
“And that’s where I said I wouldn’t really question. For instance, if the CIO chose to use a Symanteic endpoint product instead of McAfee, am I going to say why are you doing that? No? I might say, hey, i’m hearing other companies are doing x vs. y, why did you make this choice? Help me understand why you like this one? But I’m not going to tell him or her no, you can’t buy that.”
What would you say those five or six critical areas would be that the CFO is responsible to have at least some knowledge of to maintain a presence in their organization’s cyber security plan?
“One of them is certainly endpoint protection. You need to know that you’re doing that. These days you need to be careful with email security. You also, with all of us up in the cloud, you want to make sure that the environment you’re delivering to your customers, in our case, through Amazon, is adequately secured. I’d also like to know that I have some type of at least rudimentary telemetry around intrusions that are out there. People that are banging up against our firewall. What are they trying to do and how are they getting in? How are we preventing them from getting in? Do we have a system that is logging alerts and helping us understand what type of attack vector might be coming at us?
“And then, you know, near and dear to my heart is what we do, what are we doing about vulnerability management, which has gotten very complex over the last several years. But at the end of the day you can distill it down to—am I running updates on my computer, when Windows tells me to run the latest updates, my cell phone, and now it crosses far more categories. What am I doing to identify vulnerabilities in my web application? What am I doing to identify vulnerabilities up in my cloud environment? Those are, if we start to talk about ransomware, that’s where the hackers go. They’re looking to those known vulnerabilities that have been proven time and time again to be easy ways or proven ways to break in and if you don’t have basic hygiene around that, you are much more exposed.”
That’s a good lead in, what would you say is the pulse for CFOs on ransomware? Is that something CFOs understand—the techniques, or even beyond that, whaling and specific, targeted attacks to the financial department within each organization?
“I would say that at least for me, and I’m not every CFO, I could not tell you these are the attacks that are trending right now towards CFOs and the financial systems we use. As an example, with our accounting software I’m interested in their security policies and practices, but it’s a little bit of a leap of faith. Just like it is for anyone that becomes a customer of ours, we’re certainly trusting that they have secured their environment.
“As a CFO, in any company today, you want to know how you’re protecting yourself against ransomware. Ransomware can be very targeted toward verticals, it can be very generic. It’s a specific type of attack. Sometimes they don’t care what industry you’re in, but they’ve been poking around and they’ve seen you have some firewalls that are exposed to the Internet that are ones they know how to hack because you haven’t properly patched your vulnerabilities.
“Every CFO in this day and age should be concerned about ransomware and how it could impact their business.”
How can CFOs better work with their internal cyber security teams? How can they be better partners to the CIO’s organization?
“To me, it really comes back to what are the regular interactions you have with the executive team in your organization? Are you scheduling 1:1 with your VPs of engineering and customer success and IT? Do you have a cadence to discuss security concerns and best practices? Good executive teams as a whole, as they are maintaining a regular dialogue with their fellow executives to understand what they’re doing and what they can improve on. And every year, for us specifically, we’re SOC 2 certified. So every year we go through a review of our security practices and policies. We bring in a third party to audit. Is there anything we’ve suddenly become deficient in? We’re doing penetration tests. As a CFO you should be asking your CIO when was the last time we did a penetration test. And as a CFO of a software company, you need to know how you’re ensuring the security of your own applications.
“For us, we use an internal process in the event of a sudden vulnerability or a security incident, and that could be as simple as someone losing a PC. The process immediately notifies the executives and we have a standard set of actions we take to understand the level of exposure, has it been remediated and are there any lingering effects?”
What are the trends you expect to see in the next 10 years with cyber security — specifically protecting against ransomware and whaling attacks on CFOs?
“I don’t see ransomware slowing down. It’s a money making business and everyone who is around security knows, it’s just completely skewed; they only have to get it right once. As organizations, we have to constantly defend hundreds of thousands of bad actors. All it takes is one mistake by an employee. I think ransomware will continue to be very prevenlet. It’s a big money making business. A lot of insurance companies are telling their customers, even though they have cyber insurance, to pay the ransom. And that just validates the industry even more.
“The other trend I expect to see, more and more ransomware will be targeted on web applications. Your network as everyone moves to the cloud. Your assets become virtual. Your shifting between servers and that works to the advantage of everyone. It’s much more difficult for a hacker to identify the vector they can get into and sustain. But that means web applications are really a big exposure point. And it’s an area where a lot of companies haven’t paid attention. You as a user, everytime you go to a website, should be asking yourself, what have these people done to make sure there’s no cross-site scripting, no open vulnerabilities they’ve left that would make it easy for someone to impact me through this web application.”
What tactics have worked for you in the past — and do you see the fruits of that labor or just hope that the right barriers are in place to protect your organization?
“It’s really about putting in place good processes, communicating regularly, and paying attention. We’ve recently upgraded our firewalls because we felt like it was time. We didn’t see anything wrong with the old firewalls, but remaining vigilant is part of good cyber security hygiene. In our remote work environment, we’re being very aggressive to make sure that when employees are accessing shared drives or other files they are logging with our VPN because home networks aren’t secure.
“It’s about recurring good hygiene — reminding people about being careful about phishing emails, protecting passwords and using complex passwords. In all honesty, constant education is as important as the tools you’re using to protect yourself.”
If you’re ready to learn more about your company’s risk and to find out if you have enough coverage for a cyber attack event, take our 3-question quiz.
Written by: [Jack Vines]