If you are a CFO, like me, we spend a good chunk of our time working with our teams to ensure risk in the form of tax, treasury, internal controls and integrity of financial reporting is mitigated. Sometimes there’s a niggling risk worry that will cause us to wake up in a cold sweat— but we are all trained to deal with these ‘known knowns’.
It’s what we do.
We also spend evenings and weekends on forecasting, guidance, squeezing costs and appraisal of investment opportunities to boost the top or bottom lines. All of this is necessary and our stakeholders look to us to get it right as custodians of the assets of our organizations. The risk of getting these things wrong causes us, as professionals, sleepless nights, but unless we get them catastrophically wrong it mostly causes nothing more than a ripple in the organization that is easily recovered. This is where we spend the vast majority of our time.
However, there is a new, constantly mutating threat lurking in the shadows and as a CFO community, I do not think that we have yet fully grasped the role we could, and should, play in mitigating against it. If we are serious about being the custodians of our organization’s assets then we need to take our heads out of the sand. We are doing some things to counteract this new threat but not nearly enough. Yet.
All organizations are now digital. Our IT infrastructure, applications, and data are the nerve center of any organization and without it, the business simply ceases to operate. Serious outages caused by attacks on the nerve center wreak a level of havoc which is difficult to imagine happening if we get things wrong in other areas that we spend most of our time managing. Think about the recent hits to that nerve center that has had some very high profile casualties: Equifax, Maersk, NHS, WPP, Mondelez, Deutsche Post; and those are just the ones we know about! The cost in terms of the lost market cap, cost of the clean-up, reputational damage and regulatory fines is almost incalculable.
This new risk is not going away; it is only going to get worse.
We dedicate our time ensuring we have the right internal controls to prevent a fraud which might, at worst, cost us a few hundred thousand. We feel proud when we manage to squeeze another 1% out of the cost base, reduce our effective tax rate by 2% or gain 3% percent on our stock price by under promising and over-delivering. These are all important, worthy things yet how much time do we spend on the biggest existential threat to our organizations where a bit of simple code developed by individuals intent on causing maximum havoc to an organization can bring down our nerve center and therefore our entire organizations in a matter of minutes. The potential cost and loss of assets dwarfs almost any other risk event, but how much time do we spend on it?
Pretending that ‘it will never happen to us’ is being the Ostrich CFO. IT may not report to the CFO (although often it does). The CFO will probably spend an hour or more at Board meetings explaining, in detail, the financial performance and metrics of the business. Could any of us talk for an hour, in detail, about what we are doing to secure organizations against a catastrophic breach of the nerve center that could bring the business to an abrupt halt?
The CFO role is always evolving and, if we are serious about being custodians of our organizations, it is time to add another string to our bow. We don’t need to be technology experts but asking simple questions like “are we up to date and patched with our software” will go a long way – I guarantee you will be worried at the answer, and if you are not, I suspect you are not getting a straight answer.
The recent WannaCry and Petya attacks could have been avoided in any organization whose software was current. The attack on Maersk cost it $300m, even before taking into account longer-term reputational damage. They could have been current for a tiny fraction of that amount, but who was asking the question?
Our natural skepticism and analytical skills position us perfectly to ask searching questions and our position at the Boardroom table provides the platform to ensure these issues are taken seriously and are properly funded, although it is not expensive to stay current and approving funding for the latest fancy cybersecurity tool might feel like action but is useless if you have left the windows and doors open.
The role of CFO evolved and was enhanced after the financial crisis; it is time for us to evolve again to deal with this latest threat to our organization’s assets. Get current and #StayCurrent.