A recent report by the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI)
entitled “The Financial Impact of Cyber Risk” suggests that cyber
security should be an issue for a number of departments beyond IT.
Specifically, it said the chief financial officer, legal, risk
management, human resources, public relations and others should be
involved in managing cyber risk before an embarrassing and damaging
data breach hits the organization.
It’s not unusual to hear reports advising IT to collaborate with the
business in an effort to better understand IT’s role in the bigger
picture, be it cyber security or any other IT project. But the
suggestion to take the issue to the highest echelons of the
organization, specifically the CFO, on an issue often perceived as
solely IT’s problem is not often heard.
It’svery helpfulthatthrough more direct discussions, the CFO
would be made aware first-hand by IT of the negative implications of a
potential cyber security attack and of its financial repercussions.
Moreover, CFOs control the money and have the power to ultimately grant
blessing to a project if s/he deems it vital to the organization, or
can quash it if not.
But budget aside, anyone who has driven a project will tell you that
it’s a very good thing to have a vocal champion for your cause. And, if
that champion happens to be the person who controls the money, then
that’s even better.