Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Expert Insight: A CFO’s Approach To Cybersecurity

A chief financial officer (CFO) is a necessary component required to ensure a cybersecurity department has the right staff, software, products, and tools to be able to defend their organization. But what’s the best way to work with a CFO? We spoke with Matt Neisler, Chief Financial Officer at Trustwave, to get his perspective.

Q: How does cybersecurity impact the finance department? What’s the risk your department faces?

Matt: There are a few things that we’re concerned about. People having access to bank accounts and numbers exposes organizations to risk. And finance departments face significant phishing and spoofing attacks.

For example, a hacker sent a spoofed email to a company’s customers telling them that they needed to update some bank details to redirect payments. The customer did so without any validation or confirmation. And in one phishing case, an assistant received an email impersonating their CEO asking to transfer USD$500,000 to them in a different bank account. Given the urgency, the assistant (who knew the CEO was traveling overseas) didn’t get a confirmation before making the transfer. The company realized what happened a couple of days later and is in the middle of recovering.

Companies face real challenges against attackers running phishing or spoofing schemes and pretending to be executives, customers, or vendors demanding payment and redirecting bank details. That’s a real risk to organizations and as finance departments. Try to put in place new processes and procedures like a double confirmation step that requires an email and phone confirmation to ensure requests like these are verified and validated. 

Q: How does your department handle these risks?

Matt: There’s always a risk of someone hacking into the system and stealing information whether it’s intellectual property or financial information. So, we need to be careful about who needs what access and whether or not there are any user IDs active that shouldn’t be. We need to review that to make sure they don’t create exposure for us.

Q: How do you think a CFO should approach cybersecurity when they’re just getting started with an organization?

Matt: It’s important to discuss with your organization the cybersecurity challenges it’s currently facing, what processes are in place, whether those processes create risk exposure, and if any remediation efforts are in place. 

How is your department exposing itself? Are you publishing bank account details and sensitive information on invoices? Can you work on concealing that information without slowing down the function of the department? Questions like these help you work towards putting new processes in place to lower your risk without affecting productivity.

If you’re at a large company, you may not have as much visibility into day-to-day issues like spoofing and ensuring your entire department is aware of these problems. You may catch an email by someone pretending to be the CEO — but will everyone? Your department needs training and secure email gateway tools for this.

Q: What does an ideal training for this kind of campaign look like?

Matt: Ideally, you should have a training program around information security that refreshes annually and goes through phishing, spoofing, and any other trends we’re seeing in the market. That’s something we at Trustwave would know better than anyone else because we’re continuously monitoring and looking for new threats.

Then in three to six months, you could launch a fictitious spoof or phish attack to make sure people are practicing what they learned. You basically want to do this once a year and identify the people or groups of people who fall for it. Months later, you see if they have learned not to repeat the same mistake. But you don’t have to subject the whole organization to the campaign again.

Q: What’s something that’s not obvious to consider when trying to defend against these attacks?

Matt: Frankly, you have to get people to pay close attention to small details, such as the language people are using. You get used to communicating with people on a regular basis and if their language or tone is completely different or off, that should raise a red flag.

As a leader, being able to portray yourself as approachable, being someone who cares about the team, and creating relationships is important. It’s not unusual for phishing or spoofing emails to impersonate the CFO. If an employee gets a problematic email, they should feel comfortable talking about it and asking questions, rather than think it’s an order to follow.

Q: How do you, the CFO, manage and lead cybersecurity?

Matt: As a CFO, you’re responsible for managing roles across the board — procurement, real estate, change management, risk management and auditing. Within most of those, they naturally fit around managing budgets. But cybersecurity isn’t as focused on that and has a different lens they’re looking through. That means you need to find a more effective way to manage and work with cybersecurity, whether that’s having additional conversations with a security leader or finding broader areas where information security can make the most impact to the organization.

You also need to understand different cybersecurity challenges from a high-level perspective so you can stay current, help, and guide a cybersecurity leader. This aspect of the job is fluid and I enjoy it because it lets me build a perspective to get a deeper understanding of our internal challenges and the challenges our clients face. Having a client see a finance guy speak their language effectively and understanding their own challenges adds a lot of credibility to our conversations and that’s rewarding. 

Q: What’s your mindset when it comes to cybersecurity as a CFO?

Matt: One of the first questions we ask is — what are the assets we want to protect and how do we go about protecting them? If there’s a gap in our protection profile, how do we make a decision based on the risk we’re trying to mitigate, what’s the qualitative and quantitative aspect, damage, and cost relative to that?

Quantitative costs can be hard to estimate. If someone steals all your trade secrets, the cost estimate is different if it’s an individual going to a competitor compared to someone posting it on a blog anyone can access.

We think through it in this way:

  • What are the risks we’re trying to mitigate?
  • What are the costs and potential damages we’re trying to avoid?

This also depends highly on the business you’re in to ensure you’re not indexing above a level that’s unnecessary. Take data loss for example - a consulting company tends to be open around what kind of info can be placed in emails because they’re interacting with clients and need to share documents. Other companies however, wouldn’t even allow the use of personal email, cloud-based file sharing, or even an external USB to put data on or take data off a network.

Q: How can cybersecurity and finance leaders best work together?

Matt: CFOs will probably look at the spend they’re putting towards cybersecurity and ask ‘when is it going to stop?’ because they likely increased the budget last year, and the cybersecurity department is asking for another increase. CFOs want to know when we’ll get an appraised level of protection and we see stable costs or cost-reductions at least as a percentage of revenue to make sure we’re driving towards better earnings per share (EPS) and/or margins.

Cybersecurity leaders have to put themselves in the CFO’s shoes and think through that lens. How am I contributing to the betterment of the organization by protecting the organization in a way that may not look like it’s driving a financial benefit in the short term but will in the long term? Maybe it’s a more advanced managed security service, a defense tool — being able to talk through the benefits and show the business case around it and not just the incremental cost is always important to get everyone on the same page. Align your objectives — you might have good reasons for pushing for higher levels of security but it’s hard to make that case if you’re just communicating the spend and not the benefits.

On the other side, a CFO should try to put themselves in the other person’s shoes. Why are they making a request to install new software or change the organization’s security posture? It’s important to be a good listener, hear people out, and really understand more about why they’re asking for what they’re asking for.

To learn more about why moving to a hybrid or fully managed security services provider (MSSP) model might be right for your organization, download this white paper.

Latest Trustwave Blogs

Mining Operations: Critical Cybersecurity Threats & Trends Revealed

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation....

Read More

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More