Chief financial officer cybersecurity

The CFO's role in cybersecurity

CFOs can play a key role in establishing a cybersecurity risk management program to help achieve business objectives.

Cybersecurity risks are significant business risks that must be managed. This can be challenging, because even organizations with mature practices are susceptible to cybersecurity failures that may not be detected in a timely manner. A cybersecurity risk management program can help address those challenges. But establishing and maintaining such a broad program is not easy.

An effective cybersecurity risk management program requires leadership and commitment from top executives. Simply being “interested” is insufficient because key decisions regarding the program will affect achievement of the organization’s overall business objectives.

CFOs, alongside other C-suite executives, can provide leadership and demonstrate commitment to their cybersecurity risk management programs in the following ways:

1. Establish a cybersecurity policy with objectives that align with your organization’s strategic business objectives.

The cybersecurity policy is a concise and high-level commitment by senior leadership to the strategic importance of cybersecurity. It describes the intent and direction of the cybersecurity risk management program and includes your organization’s cybersecurity objectives for protecting the confidentiality, integrity, and availability of its information assets and systems.

2. Assign and communicate the authorities and responsibilities for cybersecurity.

To ensure achievement of your organization’s cybersecurity objectives, key roles, responsibilities, and authorities should be assigned, communicated, and regularly reviewed by executive leadership. These key responsibilities and authorities include establishment and continual improvement of the cybersecurity risk management program; risk assessment and treatment; process and system design; performance evaluation; and management review.

3. Identify and provide the resources necessary to establish and operate the cybersecurity risk management program.

The establishment and operation of an effective cybersecurity risk management program requires an ongoing commitment of resources. Factors that influence that commitment include the size and complexity of your organization, the industries in which your organization operates, and the needs and expectations of interested parties. Investments in people, process, and technology should be monitored and adapted as your organization’s cybersecurity objectives change.

4. Regularly review and improve the effectiveness of the cybersecurity risk management program.

Changes that impact your organization’s cybersecurity risks are inevitable, and they necessitate regular and periodic review of your cybersecurity risk management program. Internal updates to strategy and business objectives, and external shifts in the needs and expectations of interested third parties are examples of such changes. Leadership participation in the regular program reviews can help ensure that your organization continues to adequately address the risks that threaten your cybersecurity objectives. And when necessary, leadership can help ensure that program improvements are properly resourced and established.

In summary

It’s never too late to provide this type of support from the top. And the need for dependable cybersecurity practices has never been greater.

For the foreseeable future, most organizations can expect increased scrutiny of their cybersecurity practices. Cybersecurity expectations and requirements are already influencing decisions in areas such as contract awards, partnering agreements, and insurance coverage. Through leadership and commitment from top executives, including the CFO, organizations can establish cybersecurity risk management programs that favorably influence those decisions—and help those organizations achieve their business objectives.

If you have questions about your unique cybersecurity situation, contact Brian Johnson using the information below.

Brian Johnson

Senior Vice President
Technology Services

Brian joined AGH in 1992. He leads the firm’s technology services practice where he helps clients achieve measurable performance improvements through the delivery of specialized, competency-based information systems management, assurance, and advisory services. He has extensive experience in information security, network engineering, and solution development, with recognized specializations in governance, risk, control, and related consulting services.

Brian is a member of ISACA (previously known as the Information Systems Audit and Control Association), the Kansas Society of Certified Public Accountants (KSCPA), the American Institute of Certified Public Accountants (AICPA), the AICPA’s Information Management and Technology Assurance (IMTA) Section, and the Association for Supply Chain Management (ASCM). He is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC), Certified Data Privacy Solutions Engineer (CDPSE), and Certified in Production and Inventory Management (CPIM).

Brian is also a Certified Public Accountant (CPA) and a graduate of Wichita State University, where he earned Master of Accountancy and Bachelor of Business Administration degrees.

Information security is more than technology, it requires educated staff.
See how we can help identify and mitigate your security vulnerabilities.