5 Questions a CFO Needs to Ask IT Security

In the digital age, a company’s data is key to its survival. It is therefore crucial that the executive board, the board of directors and, in particular, the CFO work in-depth with IT security, just as they would other business-critical and strategic activities.

Data and IT can no longer be considered a “new” function and nothing more than an extra expense. With digitalization, we’ve entered a “data first” era where a company’s strategy and business performance rely on a strong digital transformation, marking the difference between success and a slow deterioration of the company’s profitability.

In terms of IT security, the negative impact a data breach can have is overwhelming. Consider the potential revenue loss due to downtime, the decline in customer trust and loyalty, lost shareholder value and incurred regulatory fees.

In this light, there are a range of important questions a CFO needs to consider. All deal with classic values the CFO needs to explore, just as they would explore other aspects of the business.

Photo of Jesper Juul

Let’s talk
Contact our CCO Jesper Juul for a talk about your current IT security and compliance.

Frame the questions for the IT Security department as an investment, rather than a cost:

IT is business critical and should never be considered a mere expense: Data-driven insights or applications have the potential to accelerate a business, and it can be a disaster if the right security systems aren’t in place. Moreover, it may make sense for some companies to consolidate or even outsource certain systems, depending on their needs.

Below, we present five key question we believe a CFO should ask their IT Security department. For each of these questions, the CFO needs to consider the value a specific IT security investment would have for the company, as well as the costs associated with the risks if the investment is not made.

The key question is: What value are we getting from our investment?

  1. What is the impact on our overall risk picture?
    Invest wisely. It is all too easy to overspend on security solutions and create a false sense of security. The CFO needs to understand, define and analyze the overall threat picture and the potential damages in order to create a realistic ROI for IT security spending.Also, it’s important to be realistic about the potential damages of cyber incidents, such as a ransomware attack. How much downtime is tolerable, and what is your incident response plan? Whoever is in charge of your company’s cybersecurity needs to have a big enough budget, not only to minimize the risk of a breach but also to create a sophisticated incident response plan.Read more: 3 IT Risk Management Priorities for 2021
  2. How well are we meeting our compliance requirements?
    The number of security regulations, usually in the form of local or industry-specific compliance mandates for protecting personally identifiable information (PII), is constantly increasing. Is it possible to address requirements while simultaneously peering into the future in order to comply more effectively with regulatory mandates? Also, is it possible to be more specific about which controls to use, or what the consequences of failure to comply will be?
  3. ​Which are our key specific security use cases?
    Define risk management objectives and address key risks to enable strong choices that fit your organization and optimize your solution architecture portfolio. With detailed security use cases, you will be better able to evaluate the options, for instance inhouse specialists vs. third-party involvement, native vs. add-on, and best-of-breed vs. platform products.As part of your security architecture, pay close attention to automation and orchestration features, which are increasingly vital for strong operational security management.
  4. Can we consolidate, simplify or outsource?
    It might sound like a cost-saving measure, but in fact this question can help leverage IT security. Within your security architecture, you may find opportunities for simplification and consolidation that actually minimize entry points, numbers of privileges, numbers of applications, and potential backdoors in your systems, as well as ensuring separation of duties.Increase focus on API and application security. Design endpoint security and cloud application security hand in hand to provide data security and threat protection.Read more: As-a-Service Explained
  5. Which additional data insights can be extracted?
    Make sure your applications and architecture are data-centric in order to enable processing and analytics. How can existing “raw” data be used in a different context to benefit your organization? With the right approach (and knowledge level), analytics data that can be used in other contexts can be a true goldmine.This question depends to a great extent on who is doing the asking. The CFO needs to leverage their in-depth and overall knowledge of the business to identify where specific data insights can benefit the business.Read more: Guide to Data Classification
IT Security Investments

What’s Next?

These questions, from a CFO to IT Security, will ultimately help your business determine the effectiveness of security programs, identify areas requiring additional focus, and map the need to implement changes. Once the work has been done, it’s time to start monitoring these investments and tracking performance, in both IT security and financial terms.

Let’s Talk

Photo of Jesper Juul

Contact our CCO Jesper Juul for a talk about your current IT security and compliance.