Managing cybersecurity 2. Prioritize the assets that need protection 3. Match your cybersecurity to your strategy CFOs’ access to all financial data means they are often best-placed to identify CFOs and CIOs should view cybersecurity as a series of rolling processes to signs of a cyber breach. Their oversight can also sometimes help them be reviewed and revised as the organization changes. Every new product or identify the assets the attackers are likely to try to obtain, such as intellectual service, geographical expansion or M&A transaction creates new cyber risk property (IP), financial data or other information about the company that exposures that must be managed. could be used to damage it. To avoid pockets of vulnerability emerging over time requires a tight The CFO should lead the board-level conversations to identify which of the partnership between the CFO, who knows the strategy intimately, and the CIO, organization’s assets need protection. Often, there will be disagreement who is best placed to identify vulnerabilities. among different members of the C-suite, so the CFO’s perspective across “What the business is trying to protect varies over time,” says Allan. “Creating the whole organization and its data is crucial. a mature cybersecurity capability is about moving to a state where these The board should help prioritize these assets. And it needs to understand threats can be anticipated.” the impact of them being breached, compromised or made unavailable. Similarly, as we move further into an ecosystem of digitally connected Ken Allan, Global Cybersecurity Leader, EY, argues that while the CFO and CIO entities, people and data, cyber risk increases and cybersecurity must adapt. need to collaborate closely on cybersecurity, they need to approach it from Innovative digital business models and customer-facing channels create new different angles. opportunities that also bring new risks. He says: “CFOs should care about different questions. What are they trying to “Historically, IT and cybersecurity were structured around protecting the protect? What are the impacts of a breach?” data center from outside intrusions,” says Ryerkerk. “If you move forward to today, solutions are very likely to be provided by the cloud.” “ Cybersecurity preparation is all about understanding what the business is trying to “ The traditional solutions don’t work anymore. The protect. Some CFOs are trying to understand the whole landscape is changing very dramatically.” technical detail when they shouldn’t be. That’s for the IT people to deal with.” Dave Ryerkerk, Global IT Advisory Leader, EY Ken Allan, Global Cybersecurity Leader, EY Partnering for performance Part 3: the CFO and the CIO 14