Cybersecurity continues to be a dominant topic in many board and executive meetings today. However, many senior financial leaders aren’t equipped with effective leadership frameworks to help them understand and resource cybersecurity programs strategically.
In this article, we discuss three key cybersecurity challenges financial leaders are currently facing and provide strategies to help them navigate those challenges.
1. Missing links between cybersecurity and performance
We’re seeing, in certain circumstances, a gap between strategic and financial questions asked about cybersecurity programs and tactical or technical answers received. The cause of this issue is relatively intuitive—senior leaders without an IT background lack a technical context and language. Also, IT teams can present technical issues and solutions without putting them in the context of their organization’s strategic objectives. The result is that leadership is asked to invest in cybersecurity solutions without appreciating how they’ll positively impact performance.
The solution: Senior financial leaders should ask their Chief Information Security Officer to show the links between cybersecurity threats and the organization’s strategic objectives. For example, if employee data is breached and provided to a key competitor, which strategic objectives will be significantly compromised? Which won’t? By making this simple many-to-many connection, senior financial leaders will have a much clearer view of which threats pose the greatest impact on performance. As a result, investment decisions will be based on some simple but important data.
2. Low visibility on the full range of threats and their impact
The traditional definition of a hacker has changed substantially in the past five years. Cybersecurity attacks are, in many cases, now perpetrated by threat actors who approach those attacks as a business. For instance, a fully populated Canadian healthcare record, complete with SIN number, address and birthdate, is worth up to $1,000 on the black market. Monetizing this data on a mass scale is profitable. Traditional hackers are now joined by organized crime groups and information brokers in the pursuit of this data.
Further, according to PwC’s 2016 Global State of Information Security Survey (GSISS), 41% of people responsible for cyberattacks are former employees. They have insights that make access easier and may be motivated to harm former organizations when disgruntled.
Finally, foreign nation-states are capable of such attacks to boost their political interests. According to the GSISS, 32% of organizations consider that attacks could come from competitors looking for a strategic advantage.
The results of these attacks may also be broader than they first appear. For instance, the goal of attackers is not always to acquire data—threat actors may design attacks to compromise operations, injure employees or embarrass your organization.
Financial executives need to consider all of the above when deciding how to invest in cybersecurity solutions.
The solution: You can’t protect against what you don’t
understand. Board and executive education focused on specific
threat actors and the potential impact of their actions is essential.
Consider who is most likely to attack, including current and
former employees, competitors, nation-states (particularly during
international mergers and acquisitions activities), activists,
organized crime groups or information brokers.
Next, understand how they’ll come at your organization. Are they
going to focus on your network, databases or operational systems
(e.g. supervisory control and data acquisition)? Or are they going
to enter through a networked supplier, lure a staff member into
clicking on a spear phishing tactic or tailgate an employee to
physically enter your organization and socially engineer an inperson
Finally, determine whether your biggest impact will be on
financial performance, reputation, operations viability,
availability of assets or data, non-compliance or the personal
safety of employees, the public, customers, contractors or
Asking the above questions will provide a fuller context to discuss
your cybersecurity strategy and investments.
3. The belief that cybersecurity is only an IT issue, rather than a broader business imperative
Thinking about cybersecurity as only an IT issue can significantly
impair an organization’s ability to understand and manage its
risks in this area. As discussed above, IT vigilance and resources
are at the core of a cybersecurity strategy, but a sound strategy
involves many more stakeholders. Holding IT solely accountable
for cyber breaches is like making finance solely accountable for
profitability. Of course, you need an effective security architecture,
a sound firewall and an up-to-date anti-malware program. But
informed financial leaders understand there are many components
to a strategic cybersecurity program, including good governance,
effective tools and systems, skilled and adequate resources and
wraparound third party services.
We hear hackers tell us they expect the firewalls of more
sophisticated target organizations will be difficult to breach. For
that reason they target your number one vulnerability: your people.
Well-designed social engineering calls can compel staff to reveal
essential information that can be used to breach your organization.
Without proper training, employees are susceptible to revealing
passwords, providing network access and sharing confidential
information, all of which enable threat actors to achieve their
The solution: Management should invest in a multi-layered
strategy to manage cybersecurity threats. This requires investing
in multiple areas, including the IT department, human resources,
physical security and external service providers. Beyond IT
budgets, plan your investments in training, penetration tests,
breach indicator assessments, incident response plans and
governance policies to develop a well-rounded approach to
managing this growing threat.
Partner, PwC Cybersecurity & Privacy
+1 416 941 8374