A recent report by the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI)entitled “The Financial Impact of Cyber Risk” suggests that cybersecurity should be an issue for a number of departments beyond IT.Specifically, it said the chief financial officer, legal, riskmanagement, human resources, public relations and others should beinvolved in managing cyber risk before an embarrassing and damagingdata breach hits the organization.
It’s not unusual to hear reports advising IT to collaborate with thebusiness in an effort to better understand IT’s role in the biggerpicture, be it cyber security or any other IT project. But thesuggestion to take the issue to the highest echelons of theorganization, specifically the CFO, on an issue often perceived assolely IT’s problem is not often heard.
It’s very helpful that through more direct discussions, the CFOwould be made aware first-hand by IT of the negative implications of apotential cyber security attack and of its financial repercussions.Moreover, CFOs control the money and have the power to ultimately grantblessing to a project if s/he deems it vital to the organization, orcan quash it if not.
But budget aside, anyone who has driven a project will tell you thatit’s a very good thing to have a vocal champion for your cause. And, ifthat champion happens to be the person who controls the money, thenthat’s even better.