We work in an age of collaboration and integration, connecting seamlessly with customers, partners, and colleagues. Through cloud services and mobile devices, we transmit infinite amounts of data, and we do so ceaselessly. While such connectivity makes possible information sharing—and, ultimately, innovation—on a scale the world has never seen before, it also demands that companies pay more attention to managing and securing the flow of data.
Information management may sound like a challenge that would normally be assigned to IT. However, because of the disastrous impact a data breach can have on profitability, governing the flow of data has to be a key concern for all C-level executives. According to the Ponemon Institute’s “2014 Cost of Data Breach Study,” the total average cost of a data breach rose 15 percent, to US$3.5 million, in 2013.
Organizations simply can’t ignore a risk of this magnitude, and it is not wise to burden the IT function with the full responsibility for mitigating this risk. IT does not have the same knowledge of business operations as do the people generating the company’s financial performance data, namely, the CFO, corporate controllers, and treasurer.
To keep their companies’ fiscal data safe—and, ultimately, to protect their bottom line—CFOs need to work with IT to obtain a comprehensive understanding of how data flows within their organization. Then they need to help set data security policies, fund necessary technology and process improvement investments, and demand security policy compliance.
The Increasingly Tricky Security Environment
As workplace culture changes, data security becomes a bigger and bigger issue. The combination of employees’ desire for flexibility and organizations’ demands for higher productivity has introduced new market forces that are changing the ways in which data flows through businesses. The bring your own device (BYOD) movement enables employees to use their personal phones and tablets to conduct business. This frees them to work remotely, which may maximize their productivity by enabling them to work where they have fewer distractions and by offering a work/life balance that keeps them happy. With these benefits come challenges, however.
Organizations increasingly worry about managing the large amount of sensitive data that flows between these devices, both within the company and outside corporate firewalls. For example, details on the launch of a new product may be sent at any time to external marketing teams, and projections of corporate fiscal performance may be accessed routinely by executives reviewing documents at home. Clearly, if either of these data sets falls into the hands of a competitor, there could be serious ramifications for the company.
Integrating a diverse assortment of devices, and the networks on which they run, can weave a complex web of security environments. Each one must have airtight security to prevent breaches, but that can be difficult to implement. In a 2014 report by Enterprise Strategy Group (ESG), 31 percent of surveyed organizations said they struggle to enforce cohesive network security policies because of the many different technologies and devices for which they have to account.
To add to the challenge, many employees want to use their own devices for business but don’t want the company to be able to access the personal data they keep on these devices. According to a 2014 Gartner report, employees are demanding BYOD solutions that separate their personal content from business content. BYOD and cloud computing are here to stay, so this separate protection of corporate and individual data becomes another hurdle for organizations to negotiate.
Why CFOs Are Getting Involved
Organizations that do not successfully secure their data face three serious threats: strategic losses, regulatory penalties, and brand reputation damage. Any of these can devastate a company’s finances. For example, if a data breach reveals private information on product strategy, it may affect the company’s current product offerings, slow its speed to market with new offerings, and lower the value of its intellectual property.
Then there are the regulatory consequences. If companies fail to comply with certain regulations—regulations that may differ from state to state and country to country—they will face steep fines. And if a breach exposes customer data, laws will require a certain level of compensation to the affected customers. On average, companies pay $145 per compromised customer record, including all internal and external remediation, according to the Ponemon Institute. When breaches involve millions of customer records, penalties are staggering.
Perhaps most debilitating in the long term is the damage that an organization’s brands and reputation suffer when a data breach occurs. Take, for example, the hack that Target suffered in December 2013, which exposed millions of customers’ credit and debit card details. Since the breach, 35 percent of Target’s customers have changed the way they shop at the retailer, according to a 2014 Bizrate Insights study. The study also found that 13 percent of former online Target shoppers have taken their business elsewhere.
As the overseers of corporate financial performance, CFOs must have on their radars the financial impact to organizations that results from data breaches. Just as they would get involved in efforts to reverse a drop in sales, margins, or share price, leaders in the finance function need to do all they can to avoid a costly data-loss incident. Deloitte’s 2014 quarterly “CFO Signals” surveys show that this new reality is not lost on finance executives; respondents listed security concerns like cyber attacks and data hacks as among the most worrisome impediments to organizational growth.
This attention to an area previously reserved for CIOs and other data professionals coincides with a general shift in CFO responsibility. As the CFO’s role has evolved over the past decade, finance leaders have needed not only to focus on financial stewardship, but also to simultaneously cultivate a strong understanding of key technology issues such as information security and data management. In many cases, the need for technology decisions to reside with someone who’s knowledgeable about business and financial operations has resulted in the CFO taking an overall leadership position in data-flow security.
Thus, the relationship between CFOs and CIOs has undergone a fundamental transformation. While CIOs continue to manage specific threats around networks, business-to-business integration communities, and cloud/remote access, CFOs are often responsible for approving the IT spend, enforcing compliance companywide, and managing exposures arising from any data security incidents. It’s critical for modern CFOs to understand and involve themselves in data security planning. See the sidebar Questions from the CFO for help preparing for this new role.
The Role of Finance in Data Security
The CFO’s first order of business as a data-security champion should be to ensure that corporate budgets allocate adequate funding for technology and process management. Consider not only the technology infrastructure, but also the manpower needed to manage data both within and outside the organization.
In the ESG survey, 27 percent of respondents said their organization’s security staff is too busy responding to alerts and emergencies to prioritize training or network security strategy. As a result, many companies lack the depth of knowledge they need to stay ahead of the security curve and be equipped to respond to future threats. CFOs can, and must, bring their strategic perspective to bear on data-security issues. They are in the perfect position to make sure appropriate resources are allocated to data security, including the development of teams that address security in the long term.
Specifically, the CFO can ensure proper resource allocation by:
- Understanding which security products the company is using, and finding out whether those products are interacting effectively with one another.
- Ensuring that the company has strong security controls in place for data flowing within the firm’s enterprise systems, as well as data moving across firewalls to partners, customers, cloud applications, and mobile devices.
- Ensuring that the right combination of protective/preventative, detective, and reactive controls are all communicating with one another to provide a correlated view of what is happening across the company and beyond to its external ecosystems.
- Ensuring that a mix of IT resources is focused on remediating current security concerns and studying emerging security threats and technologies to prepare for the future.
Modern CFOs should also help lead their organizations’ data governance efforts. With ultimate responsibility for the bottom line, CFOs have the authority to demand compliance with data-governance policies. They should be involved in developing security protocols that have numerous capabilities, including being preventative, detective, reactive, and widespread.
Implementing only reactive security structures is no longer adequate. Data and infrastructure security solutions should be addressed using a multi-level approach. At the network level, security policy should address vulnerabilities on the low-level protocols that link together different devices and enable the flow of data between those devices. At the server level, security policy should address threats derived from host virtualization. At the application level, security policy should address vulnerabilities in Web applications installed on the company’s systems. And at the API framework level, the company needs to ensure that interfaces which are exposed to the outside world are secured—which means all methods must be protected against potential attacks at the application level.
Once they have helped set data-security policies, CFOs should take responsibility for ensuring that employees, external business partners, and others stay in compliance with those policies. They should demand software systems that give detailed insights and help regulate the flow of data inside the organization, from the organization to the outside world, and to the organization from outside partners and customers. With this insight into data traffic and security, CFOs can respond to all the parties to whom they’re accountable—including regulators, shareholders, and financial analysts—knowledgeably and with confidence that data breaches won’t derail their company’s progress.
CFOs should also continue asking the four questions listed in the sidebar on page 2 of this article in order to remain comfortable with their company’s data security measures. They should collaborate closely with their CIO in preparing data security analyses and reports for the CEO, and should ensure that data-security policies and technologies are an important component of regular internal audits performed by the company’s controllers.
The New Normal
The role of the CFO has shifted in the modern economy to involve a more holistic approach to financial health. In this “new normal,” CFOs must have a hand in managing all the elements that impact the bottom line, and that includes corporate data. Information enters, circulates within, and leaves organizations through a huge number of technologies, devices, and people. This data flow is wider and faster than ever before and is, therefore, also more complex. If companies fail to address their increased need for data security, they risk enormous losses.
But CFOs have the ability to take control of data security and help protect their organizations from the damage that data breaches can cause. To do so, they must involve themselves in efforts to control data flows. By designing budgets that allocate adequate resources to data security, by working with IT to design comprehensive data governance plans, and by demanding organization-wide compliance with these plans, CFOs can ensure that data supports their company’s financial gains while minimizing its role in any loss.
They can, in fact, lead their companies to secure, data-driven success.
Dean Hidalgo is the executive vice president of global marketing at Axway, and is responsible for all marketing activities from corporate communication and solution marketing to demand generation. With more than 20 years of experience promoting business integration solutions, Dean has successfully led strategic initiatives to introduce ground-breaking technology technologies into the marketplace.