It’s not just about the technology, stupid. That’s the collective message of the four expert commentators in this CFO Square-Off opinion forum, which addresses the issue of how CFOs and their corporations should be addressing cybersecurity in the face of rapid advances on the hacking front. Instead, finance chiefs should be focusing on their companies’ systemic risks rather than just software.
However, many companies are failing to address cybersecurity adequately because they tend to undervalue it financially, merely categorizing it as they would value it as a physical asset. Instead, argues Gigamon’s Kevin Magee, they should take note of the financial losses that could occur when cybersecurity is weak.
“Today, it’s likely that some of a company’s most valuable and vulnerable assets don’t even appear on the balance sheet. How much is your email database really worth? Probably not much in conventional accounting terms. But consider what its value might represent if it were completely locked down and made inaccessible by ransomware or hacked and placed on Pastebin for anyone in the world to download and peruse?” Magee reasons.
Such corporate myopia results in a failure to see the big picture, according to Bob Shaker of Symantec. Many companies “are just realizing that their defense posture is targeted at preventing malware and insider attacks, not cyber attacks,” he writes. “The technology they’ve deployed is patchwork consisting of solutions from multiple vendors that doesn’t work together.”
Another source of defensive weaknesses is complacency, driven by the notion that hackers are targeting bigger fish than one’s own company. Adding to that distraction is the constant sense stemming from the 2016 presidential election that cybersecurity is a government matter. But yesterday’s attacks on the government are becoming today’s attacks on your company, observes Agari’s Markus Jakobsson.
“In the current political environment, it seems we’ll be focused on Russia for some time to come,” Jakobsson writes. “It would be beneficial if the scrutiny is not limited to their involvement in 2016, but also how to prevent these attacks in the future — for both the private as well as the public sector. Ultimately, the private sector can’t rely on the government to solve this problem.”
SecBI’s Gilad Peleg agrees. “Government initiatives to secure the private sector are almost always insufficient, because it’s impossible to gauge the security stance of each and every company and recommend (or order) the implementation of specific security means,” he contends. “To do so would require a nationwide cybersecurity federal auditing task force, and no one wants that.”