While computer hackers and data thieves are always improving, developing ever-more sophisticated ways to breach corporate security systems, businesses have been falling behind in the measures they’re taking to protect themselves, a PricewaterhouseCoopers report released Wednesday asserts. C-suite executives, the survey says, aren’t taking enough personal responsibility for mitigating organizational risk.
“Companies that are good at managing information security risks typically assign responsibility for their security regimes at the highest levels of the organization,” the report states. But many executives, CFOs included, are not as involved as they should be. Researchers from PwC’s U.S. assurance practice found that only 39% of 10,000 executives surveyed last year (as opposed to 52% in 2009) said they reviewed their security policies annually. That means many businesses are running the risk of being outsmarted by inventive hackers, who are reviewing their strategies every day.
Perhaps not surprisingly, in a 2011 study of 583 businesses, the Ponemon Institute, which specializes in gathering and analyzing information security data, found that 44% viewed their IT infrastructure as “relatively insecure.”
The top of the organization sets the tone about the importance of protecting customer data, says PwC partner Jason Pett, who co-authored the report. “Security is not just an IT risk, it’s a business risk,” he says. “As CFO, your responsibility is to understand the business risks and how the organization is set up to mitigate those risks.”
Scott Travasos, CFO of Blue Shield of California Foundation, agrees that the management of information security, while still very much in the hands of the IT staff, has moved into the realm of the CFO, who must accept the role of enforcer when it comes to compliance and risk management. “Gone are the days when all a CFO had to do was manage the P&L,” he says. “Today it’s about much more, and information security, and its potential effects on the organization, is near the top of what’s critical.”
Security breaches, and the fines, court costs, and reputational damage they generate, can be incredibly costly. When Sony’s PlayStation Network famously was hacked in 2011, the company spent more than $171 million cleaning up the mess, and analysts predict the total could end up in the billions after calculating lost business and the cost of the investigations, make-goods, and the additional security investments the hack inspired.
Businesses are also starting to face increased pressure from government to keep personally identifiable information secure or face hefty fines. According to the PwC report, at least 50 governing bodies worldwide have enacted data-privacy laws designed to hold businesses accountable for data loss and exposure. Fines for a single breach can run to $15 million.
Managing that risk is part of the CFO’s fiduciary responsibility, Pett points out, and managing it is not only important to the organization’s future financial health, it’s also important to the individual CFO’s personal job health. When those fines and penalties are levied, it will be the CFO who’ll be on the firing line.
Travasos says he expects to see increased collaboration between CIOs and CFOs over the next several years as more traditional IT moves to the cloud. “Too often, I have seen IT and finance running on separate tracks,” he says. “I don’t think they will continue to run parallel in the future.”
As companies adopt bring-your-own-device policies, the risks of hacking and theft increase. Just about every company (90%) surveyed by PwC reported having experienced at least one computer breach or theft in the previous 12 months. Citing research from the Ponemon Institute, PwC reported that 28% of digital security breaches can be tracked to the mobile workforce.
“With mobile technology and cloud storage expanding, the risk is only going to increase over time,” says Pett. “If CFOs haven’t started to pay attention, now’s the time to do it.”