​7 Questions to ask your CFO to get more Cyber Security Investment

CISO Interview Series:: Leon Fouche, Partner: Cyber Security and Technology Risk, BDO in Australia

Many organisations are embarking transformation journeys to reshape their business and move into digital. Do you see them understanding the importance of Cyber Security in that change?

There are various levels of maturity in the market. On the one end you have organisations that understand that information is an asset that needs to be appropriately protected. These organisations tend to have well established internal risk management strategies and processes that will assess the risks of adopting and implementing new technology and guidance on how to mitigate these risks.

Then on the other end of the spectrum you have organisations who want to be innovative and first to market, but who sometimes lose focus of security. These organisations are likely to be more focused on the digital solution and often consider security late in the cycle (i.e. security is built in and not designed in).

Finally in the middle are often the ‘followers’. These are organisations that feel they might be missing out on an opportunity because they don’t have a service offering and rush in for a solution. Unfortunately, this means they may not give enough attention to the associated security risks.

Leon, you work with many CIO and CISO’s. When you think about the ones that you really rate – what are the attributes that really count?

The really great CIO and CISO are those that understand that information is a business asset. They also understand the strategic threats in their industry and their business. At the same time have a good relationship with the Board and C-suite of their business.

Their personal manner is both innovative and proactively works with business to achieve outcomes. I’ve also noted that they don’t take the position of “no-that-can’t-be done”. There is a ‘can do’ attitude and they are definitely not to a “door mat”.

Also they tend to understand the business and supply chain and what the risk exposures are within each component of the supply chain. And have an industry/market presence and actively participate in industry

(A great example of a professional that I really rate is Mike Burgess from Telstra)

Read more: The Failed Promise of New Cyber Security approaches.

As organisations move into the cloud and into effectively hybrid environments what’s your view on managing these threats? Surely the risks are higher and the skills required are increased??

Yes. That is correct. It is important for organisations to understand that using the cloud does not mean they have “outsourced” their risks and that someone else is taking care of it. The risks and their treatment remain their responsibility.

Organisations must have a true understanding of the whole IT services supply chain and what the security risks are within that. With that in mind, it is important to have a good understanding of what I refer to as CIA (confidentiality, integrity and availability) within the IT services supply chain.

It is also important to know who is responsible for each service component – especially in a hybrid environment where service delivery is shared. Plus organisations also need to invest in getting contract and partner management capability.

Most organisations do not invest enough in Cyber Security. When you talk to CFO’s what are the questions that you ask to try to convince them that they need to reconsider this position?

The dialogue would be a series of questions and clearly I would be watching for body language and the CFO’s responsiveness. I would start by asking:

  • What is your most valuable asset in your business? If IT systems and corporate information is not in their response, I always ask why not?
  • Do you know what the financial and reputational impact will be if normal business operations are interrupted by a cyber-incident?
  • What strategies do you have in place to recover from a cyber-incident? When was the last time you tested this?
  • What level of insurance do you have to cover for business interruption? Does it cover cyber incidents?
  • Do you know what your competitors are doing in this space?
  • How much of your business spend is allocated to cyber security and can you measure the return on investment? If not, do you want to?
  • Do you understand the regulatory environment and how that could impact your business if there is a cyber incident?

Give it a try, this approach has worked well for me in the past.

What’s your view around the awareness of boards of the risks of Cyber Security in enterprises - is enough being done to educate them?

There has been some good progress here and we are seeing more boards now starting to discuss cyber risks within their organisation.

The Media has played a role in this education process. For instance leading up to G20 in 2014, the local media regularly reported on cyber risks and impacts, which helped the Queensland business community become more aware of cyber risks. Then there is a role for Risk and Audit Committees to play in doing more to educate the board on cyber risks within their business.

We also find that Non-Executive Directors who sit on multiple boards help with the education process. Despite this, there appears to be a general lack of awareness amongst boards about their liability in regard to cyber-incidents and this is no different to their traditional statutory responsibilities.

Overall there is more work to be done to get Boards to shift from just awareness and education into action – with a commitment to ongoing assessment, remedy and assurance of cyber risks.

When I think about two-speed IT (Run IT and Change IT), both come with different threats and opportunities. What’s your view on managing this?

For me the Social networks, the Internet of Things, big data, amongst other things, are “business disruptors” that organisations will need to consider/assess in line with their business strategy and planning to determine if and how they adopt them.

These will likely introduce new threats and opportunities which organisations need to assess and understand these will impact their industry, business, staff and customers. Thus it is important for organisations not to lose sight of the basics – remember that information is an asset and it needs to be appropriately protected (think CIA approach) anywhere and anytime.

Thus, with this in mind, the same risk management principles apply – have a good understanding of your risks, consider how they measure up against your risk appetite, and put plans in place to manage this or bring the risk back to a level you are comfortable with.

I’ve been writing recently about managing threat to critical infrastructure. What’s your view on how mature is the Australian environment?

Firstly my view is that critical infrastructure is defined as what government describes as assets central for functioning a society and economy. The critical infrastructure operators in Australia are growing in their understanding of the cyber risks within their industry segment and environment.

However at the moment, Australia doesn’t have firm cyber security industry standards that critical infrastructure providers need to adhere to, such as NIST. The Australian Cyber Security Centre recently released its first public report on the threats to critical infrastructure operators and industry sectors. This means there is just now a wider awareness of the cyber threats within the different sectors.

Infrastructure operators are now in a position to work through these threats as part of their strategic cyber planning activities – many has already started working on improving their cyber resilience.

The Banking and Telecommunications sectors are the clear front runners and utility operators, that is Electricity & Water operators are lagging behind the rest. This is mainly due to the geographical spread of their Industrial Control Systems (ICS) systems and how these integrate back into corporate networks.

Let’s remember that the other challenge within this sector is that legacy ICS systems were designed for high-availability with limited focus on security. Newer ICS systems have better security, but it will be a while before these are implemented.

In summary, some sectors are more matured that others but a lot more needs to be done.

Join the CSO newsletter!

Error: Please check your email address.

Tags riskCyber riskCISOsNISTbig dataOutsourcedThe CloudCFOscyber securitythreatsThe Internet of Things (IoT)CIOs

More about

Show Comments

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Media Release

More media release

Market Place