We work in an age of collaboration and integration,connecting seamlessly with customers, partners, and colleagues.Through cloud services and mobile devices, we transmit infiniteamounts of data, and we do so ceaselessly. While such connectivitymakes possible information sharing—and, ultimately, innovation—on ascale the world has never seen before, it also demands thatcompanies pay more attention to managing and securing the flow ofdata.

Information management may sound like a challenge that wouldnormally be assigned to IT. However, because of the disastrousimpact a data breach can have on profitability, governing the flowof data has to be a key concern for all C-level executives.According to the Ponemon Institute's “2014 Cost of Data BreachStudy,” the total average cost of a data breach rose 15 percent, toUS$3.5 million, in 2013.

Organizations simply can't ignore a risk of this magnitude, andit is not wise to burden the IT function with the fullresponsibility for mitigating this risk. IT does not have the sameknowledge of business operations as do the people generating thecompany's financial performance data, namely, the CFO, corporatecontrollers, and treasurer.

To keep their companies' fiscal data safe—and, ultimately, toprotect their bottom line—CFOs need to work with IT to obtain acomprehensive understanding of how data flows within theirorganization. Then they need to help set data security policies,fund necessary technology and process improvement investments, anddemand security policy compliance.

The Increasingly Tricky SecurityEnvironment

As workplace culture changes, data security becomes a bigger andbigger issue. The combination of employees' desire for flexibilityand organizations' demands for higher productivity has introducednew market forces that are changing the ways in which data flowsthrough businesses. The bring your own device (BYOD) movementenables employees to use their personal phones and tablets toconduct business. This frees them to work remotely, which maymaximize their productivity by enabling them to work where theyhave fewer distractions and by offering a work/life balance thatkeeps them happy. With these benefits come challenges, however.

Organizations increasingly worry about managing the large amountof sensitive data that flows between these devices, both within thecompany and outside corporate firewalls. For example, details onthe launch of a new product may be sent at any time to externalmarketing teams, and projections of corporate fiscal performancemay be accessed routinely by executives reviewing documents athome. Clearly, if either of these data sets falls into the hands ofa competitor, there could be serious ramifications for thecompany.

Integrating a diverse assortment of devices, and thenetworks on which they run, can weave a complex web of securityenvironments. Each one must have airtight security to preventbreaches, but that can be difficult to implement. In a 2014report by Enterprise Strategy Group (ESG), 31 percent ofsurveyed organizations said they struggle to enforce cohesivenetwork security policies because of the many differenttechnologies and devices for which they have to account.

To add to the challenge, many employees want to use their owndevices for business but don't want the company to be able toaccess the personal data they keep on these devices. According to a2014 Gartner report, employeesare demanding BYOD solutions that separate their personal contentfrom business content. BYOD and cloud computing are here to stay,so this separate protection of corporate and individual databecomes another hurdle for organizations to negotiate.

Why CFOs Are Getting Involved

Organizations that do not successfully secure their data facethree serious threats: strategic losses, regulatory penalties, andbrand reputation damage. Any of these can devastate a company'sfinances. For example, if a data breach reveals private informationon product strategy, it may affect the company's current productofferings, slow its speed to market with new offerings, and lowerthe value of its intellectual property.

Then there are the regulatory consequences. If companies fail tocomply with certain regulations—regulations that may differ fromstate to state and country to country—they will face steep fines.And if a breach exposes customer data, laws will require a certainlevel of compensation to the affected customers. On average,companies pay $145 per compromised customer record, including allinternal and external remediation, according to the PonemonInstitute. When breaches involve millions of customer records,penalties are staggering.

Perhaps most debilitating in the long term is the damage that anorganization's brands and reputation suffer when a data breachoccurs. Take, for example, the hack that Target suffered inDecember 2013, which exposed millions of customers' credit anddebit card details. Since the breach, 35 percent of Target'scustomers have changed the way they shop at the retailer, accordingto a 2014 Bizrate Insights study. The study also found that 13 percent of former onlineTarget shoppers have taken their business elsewhere.

As the overseers of corporate financial performance, CFOs musthave on their radars the financial impact to organizations thatresults from data breaches. Just as they would get involved inefforts to reverse a drop in sales, margins, or share price,leaders in the finance function need to do all they can to avoid acostly data-loss incident. Deloitte's 2014 quarterly “CFOSignals” surveys show that this new reality is not lost onfinance executives; respondents listed security concerns like cyberattacks and data hacks as among the most worrisome impediments toorganizational growth.

This attention to an area previously reserved for CIOs and otherdata professionals coincides with a general shift in CFOresponsibility. As theCFO's role has evolved over the past decade, finance leadershave needed not only to focus on financial stewardship, but also tosimultaneously cultivate a strong understanding of key technologyissues such as information security and data management. In manycases, the need for technology decisions to reside with someonewho's knowledgeable about business and financial operations hasresulted in the CFO taking an overall leadership position indata-flow security.

Thus, the relationship between CFOs and CIOs has undergonea fundamental transformation. While CIOs continue to managespecific threats around networks, business-to-business integrationcommunities, and cloud/remote access, CFOs are often responsiblefor approving the IT spend, enforcing compliance companywide, andmanaging exposures arising from any data security incidents. It'scritical for modern CFOs to understand and involve themselves indata security planning. See the sidebar Questions from theCFO for help preparing for this new role.

The Role of Finance in Data Security

The CFO's first order of business as a data-security championshould be to ensure that corporate budgets allocate adequatefunding for technology and process management. Consider not onlythe technology infrastructure, but also the manpower needed tomanage data both within and outside the organization.

In the ESG survey, 27 percent of respondents said their organization'ssecurity staff is too busy responding to alerts and emergencies toprioritize training or network security strategy. As a result, manycompanies lack the depth of knowledge they need to stay ahead ofthe security curve and be equipped to respond to future threats.CFOs can, and must, bring their strategic perspective to bear ondata-security issues. They are in the perfect position to make sureappropriate resources are allocated to data security, including thedevelopment of teams that address security in the long term.

Specifically, the CFO can ensure proper resource allocationby:

• Understanding which security products the company is using, andfinding out whether those products are interacting effectively withone another.
• Ensuring that the company has strong security controls in placefor data flowing within the firm's enterprise systems, as well asdata moving across firewalls to partners, customers, cloudapplications, and mobile devices.
• Ensuring that the right combination of protective/preventative,detective, and reactive controls are all communicating with oneanother to provide a correlated view of what is happening acrossthe company and beyond to its external ecosystems.
• Ensuring that a mix of IT resources is focused on remediatingcurrent security concerns and studying emerging security threatsand technologies to prepare for the future.

Modern CFOs should also help lead their organizations' datagovernance efforts. With ultimate responsibility for the bottomline, CFOs have the authority to demand compliance withdata-governance policies. They should be involved in developingsecurity protocols that have numerous capabilities, including beingpreventative, detective, reactive, and widespread.

Implementing only reactive security structures is nolonger adequate. Data and infrastructure security solutions shouldbe addressed using a multi-level approach. At the network level,security policy should address vulnerabilities on the low-levelprotocols that link together different devices and enable the flowof data between those devices. At the server level, security policyshould address threats derived from host virtualization. At theapplication level, security policy should address vulnerabilitiesin Web applications installed on the company's systems. And at theAPI framework level, the company needs to ensure that interfaceswhich are exposed to the outside world are secured—which means allmethods must be protected against potential attacks at theapplication level.

Once they have helped set data-security policies, CFOs shouldtake responsibility for ensuring that employees, external businesspartners, and others stay in compliance with those policies. Theyshould demand software systems that give detailed insights and helpregulate the flow of data inside the organization, from theorganization to the outside world, and to the organization fromoutside partners and customers. With this insight into data trafficand security, CFOs can respond to all the parties to whom they'reaccountable—including regulators, shareholders, and financialanalysts—knowledgeably and with confidence that data breaches won'tderail their company's progress.

CFOs should also continue asking the four questions listed inthe sidebar on page 2 of this article in order to remain comfortable withtheir company's data security measures. They should collaborateclosely with their CIO in preparing data security analyses andreports for the CEO, and should ensure that data-security policiesand technologies are an important component of regular internalaudits performed by the company's controllers.

The New Normal

The role of the CFO has shifted in the modern economy to involvea more holistic approach to financial health. In this “new normal,”CFOs must have a hand in managing all the elements that impact thebottom line, and that includes corporate data. Information enters,circulates within, and leaves organizations through a huge numberof technologies, devices, and people. This data flow is wider andfaster than ever before and is, therefore, also more complex. Ifcompanies fail to address their increased need for data security,they risk enormous losses.

But CFOs have the ability to take control of data security andhelp protect their organizations from the damage that data breachescan cause. To do so, they must involve themselves in efforts tocontrol data flows. By designing budgets that allocate adequateresources to data security, by working with IT to designcomprehensive data governance plans, and by demandingorganization-wide compliance with these plans, CFOs can ensure thatdata supports their company's financial gains while minimizing itsrole in any loss.

They can, in fact, lead their companies to secure, data-drivensuccess.

—————————————-

Dean Hidalgo is the executive vice presidentof global marketing at Axway, and is responsible for all marketingactivities from corporate communication and solution marketing todemand generation. With more than 20 years of experience promotingbusiness integration solutions, Dean has successfully led strategicinitiatives to introduce ground-breaking technology technologiesinto the marketplace.