New Securities and Exchange Commission (SEC) rules requiring the disclosure of processes for identifying material cyber risks — and management’s role and expertise in assessing and managing the risks — may require CFOs to hit the books.
According to Pete Cordero, a CPA and founder of the advisory company Hacking the Cyber Threat, CFOs will need cybersecurity leadership training to help their organizations comply with increasing regulatory demands around cybersecurity risk management.
Cordero was not speaking of technical skills. Many CFOs lack “a foundational understanding” of cybersecurity risks and the cyber-threat landscape, he said on a virtual session at last week’s Financial Executive International’s Corporate Finance Reporting Insights Conference.
In light of federal and some new state rules (like those proposed by New York’s Department of Financial Services for banks and insurance companies), CFOs with only a rudimentary knowledge of cybersecurity may be risking their careers.
“Executives and boards are within the cross-hairs of our regulators,” Cordero, a former FBI special agent, said.
A recent example is the SEC’s lawsuit against SolarWinds and its chief information security officer (CISO). The regulator charged the company and the CISO for failing to disclose “specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced,” according to the SEC press release.
“There’s a lack of desire to learn this new and challenging language and technical skill, but it’s required today, especially with the new regulations.”
Hack the Cyber Threat
For many of today’s executives, cybersecurity was not an area of instruction in their undergrad or graduate studies, said Cordero. “I had the pleasure of meeting with 50 CEOs and CFOs the last few weeks,” said Cordero. “I asked them, ‘Have you taken some cyber leadership training?’ All of them said, ‘no.’”
“There’s a lack of desire to learn this new and challenging language and technical skill, but it’s required today, especially with the new regulations,” Cordero said.
Foundational Cyber Knowledge
Today’s executives need to change their mindset and take the time to become cyber savvy, said Cordero. So what does a CFO well-trained in cybersecurity look like? “I define [them] as an executive who understands the different facets of cybersecurity as an enterprise risk,” Cordero said.
That includes understanding the methodologies of cyber-threat actors and strategies that will help reduce — not necessarily eliminate — cyber threats to personnel, operations, and technology. Today’s CFO must be knowledgeable enough to have a robust dialogue with the organization’s CISO and external cybersecurity professionals, Cordero said.
They have to be able to ask those “second-, third-, and fourth-order questions” of the experts, said Cordero.
“A cyber-savvy executive is comfortable knowing their organization is under constant cyber attack,” Cordero said. “And if a cyber attack is successful, they are comfortable knowing the attack will be detected and its impact minimized due to the strategic investment and continuing maturity of the organization’s risk management program.”
Here are some of the other areas of cybersecurity a CFO or other C-suite executive needs knowledge of:
- Malicious software
- Advanced persistent threats and nation-state actors
- The organization’s critical infrastructure
- Wireless and mobile devices and mobile apps used by the organization
- Web infrastructure security, including third-party risks
- Cybercrime and hacktivism
- Cyber defense incident response and recovery
- Cyber regulation
- Cybersecurity frameworks for private- and public-sector partnerships
Cordero insisted that having a CISO or CFO with cybersecurity training is insufficient. Each member of the leadership team should be trained, he said: “You own this enterprise risk as a collective.”
“Due to the shortage of cybersecurity talent, consider organically growing your cyber talent within your organization with current employees.”
Cordero addressed several other issues for finance executives:
The shortage of cybersecurity talent
Consider organically growing your cyber talent within your organization with current employees who have stayed with you, said Cordero. Cordero has seen many cybersecurity professionals job-hop between companies chasing higher wages.
“Expect to pay to attract the best talent,” he said.
A potential intrusion vector is anything connected to an organization’s network
As a hacker, “If you have a good cyber-risk management program, I’m going to look at your third parties because they probably have poor information security practices compared to yours,” said Cordero. Understand that everything from utilities and point-of-sale terminals to cloud storage and managed service providers is a potential intrusion vector.
Information Sharing and Analysis Centers
Use the cyber threat intelligence from Information Sharing and Analysis Centers and get briefs to your employees, Cordero said. And they should come from the CEO.
“I know I read all my director’s emails,” said Cordero. “The CEO has to start a culture of cybersecurity from the top.”