This past week, the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) released a groundbreaking document that is aimed at assisting the Chief Financial Officer of major corporations and organizations in managing the financial risks inherent in protecting an organization from cybercrime.
Titled “The Financial Management of Cyber Risk: An Implementation Framework for CFOs“, the document is literally a “how to” guide to understanding and addressing the financial implications of cyber risk.
Melissa Hathaway, President of Hathaway Global Strategies and former Acting Senior Director for Cyberspace for the National Security Council notes that this is “an excellent guide for organizations to manage the risk and exposure derived from digital dependence.”
This paper is a must read for the CFO of any organization that has exposure to data breach risks. It is especially valuable to healthcare financial executives because of the enhanced regulatory environment in healthcare due to the recently passed Health Information Technology for Economic and Clinical Health (HITECH) Act. But CFOs in all industries and organizations that are entrusted with sensitive personally identifiable information (PII) and protected health information (PHI) should make the time to read this.
The context and perspective of this paper is best summarized in the executive summary where it states:
“Most enterprises today categorize information security as a technical or operational issue to be handled by the information technology (IT) department. This misunderstanding is fed by outdated corporate structures wherein the various silos within organizations do not feel responsible to secure their own data…. In reality, cybersecurity is an enterprise-wide risk management issue that needs to be addressed from a strategic, cross-departmental, and economic perspective. The CFO as opposed to the CIO or CSO, is the most logical person to lead this effort.”
If one were to ask the CFO at a Fortune 500 company to quantify their level of risk to cybercrime and associated risks of data breach, most would have a difficult time answering the question. Financial officers tend to defer the management of data breach risks to the information security team. Unfortunately, this leaves many organizations exposed to risks that are misunderstood, unquantified, and uncovered.
If you are the CFO of an organization of any size and in any industry — healthcare, financial services, manufacturing, retail — or in the public sector or higher education, don’t wait to read this document.