CIOs: Is it Time to Ask Your CFO for More Money to Secure Your Business?
What a difference a year makes. A year ago, I talked to a group of CFOs about security. While they all expressed concern regarding recent hacks, they said security is the job of the CTO or CISO. At roughly the same time, I got to talk with a good friend who is the CIO of a Fortune 500 Company about the recent hacks and the lack of procedures and systems that many firms had in advance of their hacks. This CIO said back to me almost matter of factly that the CIOs at the hacked companies weren’t stupid. He went onto to suggest that it is really hard to build a business case for the risk of being hacked. It is so much easier to justify spending money on marketing or investing for cost reductions where the value is clear and can be tested.
But as we many of you know then two things have happened since this discussion. First is that the courts allowed the financial institutions to sue retailers for the losses that they incurred because of what was claimed to be gross security negligence. And second, the depth of the hack detailed in a recent Fortune Magazine made it clear that the potential risk and impact is real.
Fortunately, a recent CFO Magazine Article makes it clear that CFOs are now all ears when it comes to investment in this area. In their survey of CFOs with nearly a thousand respondents, they found that 80% of CFO respondents from U.S. companies said that their systems have been successfully hacked in an attempt to steal, change, or make public important data. The breakdown of this number is interesting. 85% of the respondents from companies with fewer than 1,000 employees indicate their systems have been successfully penetrated. The number for larger companies was 60%. And 85% of respondents from firms in Asia, Europe, Africa, and Latin America said they had likewise been hacked.
The CFOs at these companies have taken notice and have not sat on their hands. Instead their companies have taken steps over the past year to address both hacking and data security. Here is where they have put their money so far. They have installed new software or changed procedures in order to guard against data breaches (64%). Others have requiring employee training (33%), purchasing new hardware (31%), hiring data security firms (28%) or additional staff (16%), and testing security by attempting to hack into their own systems, using either consultants (19%) or their own staff (13%).
CFO magazine then makes a big point at the end of their survey. They said that “with firms searching for whatever edge they can gain against intensifying competition, they may well consider taking a more proactive stance on cybersecurity risks and the potential impacts on customer confidence”. Clearly what a difference a year makes. CIOs the timing may be finally right for you and your CISO to propose adequate investment in the people, process, and technology for better securing your enterprises future.