CFOs Need to Sober Up to Security Realities

Updated: June 14, 2010

This continued underestimation of the potential impact a data loss event can have on the viability of a company is of particular concern when publicly traded companies are considered, as individual and commercial investors have little or no idea how such an event will affect shareholder value.

Just ask the investors at Heartland Payment Systems (HPY), who are only now seeing the company stock prices approach levels anywhere near the pre-breach announcement value, and the aftermath is far from being over.

As the responsibility for mitigating all enterprise risk ultimately lands on the lap of the Chief Financial Officer, it's time for CFOs to truly understand that the steady stream of techno-babble related to threats and system upgrades emanating from their IT departments are more than just overly excited geek-speak.

Fundamentally, IT system security is at the heart of all enterprise risk abatement, and CFOs need to recognize they are way behind the curve when it comes to protecting their company and their company's bottom line.

And it's not just the CFOs who are fumbling the ball. The problem also stems from the inability of security professionals to holistically translate the message of vulnerability into the language of the boardroom: risk.

Jeffrey Carr, who consults with U.S. and foreign governments on cyber intelligence matters and is the author of Inside Cyber Warfare, had an article in Forbes that should serve to keep CFOs up nights; however, it will probably go largely unnoticed.

If you are a security expert, there are no surprises in what Jeff had to say, as these simple "knowns" are the most basic tenets of information security:

  1. You cannot protect all your data.
  2. You cannot stop every attack.

From the security expert's perspective, these facts are the driving force behind everything they do in their professional capacity on a daily basis, but this is not the message being conveyed to the CFO.

Stark realities such as these just don't return larger security budgets, and gloom and doom is generally counter to the spin-happy executive level who are responsible for communicating risk levels to both regulators and investors.

Jeff goes on to say in his article, "Once you understand that you cannot stop every attack, and that the attacker has a vast advantage over the defender, the next logical action to take is to reduce the number of attack vectors that a potential adversary may choose from."

Again, this is security 101, but for CFOs this should be an alarming revelation.

When the simple truth that critical systems can really only be defended and not wholly protected from interlopers is considered across the broad spectrum of industries that comprise our economy, the implications are staggering.

Even in the midst of ever-larger data breaches and sharp upticks in cyber related criminal activities, sectors like communication, finance, healthcare, legal, and even our most critical of infrastructure, like the emerging "smart" power grid, are rushing headlong into implementation of systems that dramatically increase the risk of a serious security event.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more