A chief financial officer (CFO) is a necessary component required to ensure a cybersecurity department has the right staff, software, products, and tools to be able to defend their organization. But what’s the best way to work with a CFO? We spoke with Matt Neisler, Chief Financial Officer at Trustwave, to get his perspective.
Q: How does cybersecurity impact the finance department? What’s the risk your department faces?
Matt: There are a few things that we’re concerned about. People having access to bank accounts and numbers exposes organizations to risk. And finance departments face significant phishing and spoofing attacks.
For example, a hacker sent a spoofed email to a company’s customers telling them that they needed to update some bank details to redirect payments. The customer did so without any validation or confirmation. And in one phishing case, an assistant received an email impersonating their CEO asking to transfer USD$500,000 to them in a different bank account. Given the urgency, the assistant (who knew the CEO was traveling overseas) didn’t get a confirmation before making the transfer. The company realized what happened a couple of days later and is in the middle of recovering.
Companies face real challenges against attackers running phishing or spoofing schemes and pretending to be executives, customers, or vendors demanding payment and redirecting bank details. That’s a real risk to organizations and as finance departments. Try to put in place new processes and procedures like a double confirmation step that requires an email and phone confirmation to ensure requests like these are verified and validated.
Q: How does your department handle these risks?
Matt: There’s always a risk of someone hacking into the system and stealing information whether it’s intellectual property or financial information. So, we need to be careful about who needs what access and whether or not there are any user IDs active that shouldn’t be. We need to review that to make sure they don’t create exposure for us.
Q: How do you think a CFO should approach cybersecurity when they’re just getting started with an organization?
Matt: It’s important to discuss with your organization the cybersecurity challenges it’s currently facing, what processes are in place, whether those processes create risk exposure, and if any remediation efforts are in place.
How is your department exposing itself? Are you publishing bank account details and sensitive information on invoices? Can you work on concealing that information without slowing down the function of the department? Questions like these help you work towards putting new processes in place to lower your risk without affecting productivity.
If you’re at a large company, you may not have as much visibility into day-to-day issues like spoofing and ensuring your entire department is aware of these problems. You may catch an email by someone pretending to be the CEO — but will everyone? Your department needs training and secure email gateway tools for this.
Q: What does an ideal training for this kind of campaign look like?
Matt: Ideally, you should have a training program around information security that refreshes annually and goes through phishing, spoofing, and any other trends we’re seeing in the market. That’s something we at Trustwave would know better than anyone else because we’re continuously monitoring and looking for new threats.
Then in three to six months, you could launch a fictitious spoof or phish attack to make sure people are practicing what they learned. You basically want to do this once a year and identify the people or groups of people who fall for it. Months later, you see if they have learned not to repeat the same mistake. But you don’t have to subject the whole organization to the campaign again.
Q: What’s something that’s not obvious to consider when trying to defend against these attacks?
Matt: Frankly, you have to get people to pay close attention to small details, such as the language people are using. You get used to communicating with people on a regular basis and if their language or tone is completely different or off, that should raise a red flag.
As a leader, being able to portray yourself as approachable, being someone who cares about the team, and creating relationships is important. It’s not unusual for phishing or spoofing emails to impersonate the CFO. If an employee gets a problematic email, they should feel comfortable talking about it and asking questions, rather than think it’s an order to follow.
Q: How do you, the CFO, manage and lead cybersecurity?
Matt: As a CFO, you’re responsible for managing roles across the board — procurement, real estate, change management, risk management and auditing. Within most of those, they naturally fit around managing budgets. But cybersecurity isn’t as focused on that and has a different lens they’re looking through. That means you need to find a more effective way to manage and work with cybersecurity, whether that’s having additional conversations with a security leader or finding broader areas where information security can make the most impact to the organization.
You also need to understand different cybersecurity challenges from a high-level perspective so you can stay current, help, and guide a cybersecurity leader. This aspect of the job is fluid and I enjoy it because it lets me build a perspective to get a deeper understanding of our internal challenges and the challenges our clients face. Having a client see a finance guy speak their language effectively and understanding their own challenges adds a lot of credibility to our conversations and that’s rewarding.
Q: What’s your mindset when it comes to cybersecurity as a CFO?
Matt: One of the first questions we ask is — what are the assets we want to protect and how do we go about protecting them? If there’s a gap in our protection profile, how do we make a decision based on the risk we’re trying to mitigate, what’s the qualitative and quantitative aspect, damage, and cost relative to that?
Quantitative costs can be hard to estimate. If someone steals all your trade secrets, the cost estimate is different if it’s an individual going to a competitor compared to someone posting it on a blog anyone can access.
We think through it in this way:
- What are the risks we’re trying to mitigate?
- What are the costs and potential damages we’re trying to avoid?
This also depends highly on the business you’re in to ensure you’re not indexing above a level that’s unnecessary. Take data loss for example - a consulting company tends to be open around what kind of info can be placed in emails because they’re interacting with clients and need to share documents. Other companies however, wouldn’t even allow the use of personal email, cloud-based file sharing, or even an external USB to put data on or take data off a network.
Q: How can cybersecurity and finance leaders best work together?
Matt: CFOs will probably look at the spend they’re putting towards cybersecurity and ask ‘when is it going to stop?’ because they likely increased the budget last year, and the cybersecurity department is asking for another increase. CFOs want to know when we’ll get an appraised level of protection and we see stable costs or cost-reductions at least as a percentage of revenue to make sure we’re driving towards better earnings per share (EPS) and/or margins.
Cybersecurity leaders have to put themselves in the CFO’s shoes and think through that lens. How am I contributing to the betterment of the organization by protecting the organization in a way that may not look like it’s driving a financial benefit in the short term but will in the long term? Maybe it’s a more advanced managed security service, a defense tool — being able to talk through the benefits and show the business case around it and not just the incremental cost is always important to get everyone on the same page. Align your objectives — you might have good reasons for pushing for higher levels of security but it’s hard to make that case if you’re just communicating the spend and not the benefits.
On the other side, a CFO should try to put themselves in the other person’s shoes. Why are they making a request to install new software or change the organization’s security posture? It’s important to be a good listener, hear people out, and really understand more about why they’re asking for what they’re asking for.
To learn more about why moving to a hybrid or fully managed security services provider (MSSP) model might be right for your organization, download this white paper.