Managing cybersecurity Four cybersecurity priorities for the CFO and CIO 1. Treat cyber risk as part of enterprise risk management “ Cybersecurity has to be put in its position as part The first step to effective collaboration on cybersecurity between the CFO and of the broader risk management framework of the CIO is to treat cyber risk as an enterprise risk management issue, rather an organization.” than as an IT problem. Stephen Pearce, CFO, Fortescue Metals Group Cyber criminals are becoming increasingly organized and sophisticated. Organizations need to accept that they have already been breached and will be again. An effective cybersecurity capability focuses not only on preventing Cyber risk management needs to form part of the broader culture of the attacks, but on detecting, containing and responding to them. All organizations business. It should be integrated into the broad set of enterprise-governance should have a fully tested response plan in place, that articulates specific functions, such as HR, vendor management, and regulatory compliance. responsibilities. In the event of an breach, such a plan can prevent further damage resulting from unnecessary delays, and can also help reduce For multinational companies that empower local decision-making, this reputational damage in the media and the markets. integration is particularly important. Questions CFOs and CIOs should be able to answer about “We want data and information to be available to managers locally so they can cybersecurity: make decisions, but we also need to make sure that data is protected,” says Padmanabhan. “We are very mindful of ensuring that no information gets out 1. What is our overall risk tolerance? What level of damage are we without approval.” willing to incur? For Pearce, CFO at Fortescue Metals Group, leadership accountability is crucial 2. What is our organization’s current exposure to cyber risk? to this approach. 3. Is our cyber risk exposure consistent with our risk tolerance? “Cybersecurity has to be put in its position as part of the broader risk 4. How does our preparedness compare with that of our competitors? management framework of an organization,” he says. “Ultimately, that sits not just with the CFO, but with the CEO and the executive team. They have to 5. What assets should be prioritized for protection? Do you have own those corporate-wide risks, of which cybersecurity is one.” agreement across the businesses? 6. Are there adequate processes in place to prevent, detect, contain and respond to a cyber attack? 7. Do we have a fully tested cyber attack response plan that can be implemented without delay? Partnering for performance Part 3: the CFO and the CIO 13