‘CFOs naturally understand risk’ making them key cybersecurity advocates

July 13, 2021, 9:00 AM UTC

Good morning,

The mass ransomware attack earlier this month exploited a flaw in an IT management software system and affected up to 1,500 U.S. businesses. And in May, the Colonial Pipeline cyber attack temporarily stopped fuel supplies across the east coast of the U.S. Cyber attacks will remain a consistent threat, Pam Nigro, vice chair of the board of directors at ISACA, told me. 

“I don’t see it stopping anytime soon,” says Nigro, who is also vice president of information technology and security officer at Home Access Health Corporation. “I think folks know that they’ve gotten a foothold. They’ve gotten rewarded for their bad behavior. And I think that’s going to increase bad behavior.”

ISACA is a global association of IT governance professionals founded in 1969. It has 150,000 members in 188 countries, and 220 chapters worldwide. Although cyber attacks are taking place, there are still companies using patchwork efforts to support technology from the early 2000s that leaves them vulnerable, Nigro says. “Organizations really need to invest in digital transformation to start to get off of these older systems” that expose them to risk, Nigro says. “Not saying new systems are perfect,” but they can be more difficult to infiltrate, she says.  

CFOs need to be engaged in the upgrade of technology and security systems, including providing an understanding of cyber insurance and the related costs, Nigro says. “CFOs naturally understand risk and understand what is acceptable in terms of thresholds for dollars,” she says. Financial leaders “carry that message up to the CEO and ultimately to the board, and help the board understand the level of risk,” Nigro says. 

Many information security and IT professionals around the world actually worry about effectively securing the rapidly rising amount of cloud services and API-centric applications amid digital transformations, according to Fastly. Reaching the Tipping Point of Web Application and API Security, a report released on July 12 by the cloud platform provider, found that outdated offerings are among the main causes for concern. Traditional security tools often block “harmless business traffic,” resulting in 91% of businesses surveyed running the tools in log or monitoring mode, or even turning it off entirely. 

At the same time, the demand for professionals adept in cybersecurity may be greater than the supply. ISACA’s State of Cybersecurity 2021 Part 1 report released in May found that 61% of the 3,600 information security professionals surveyed said their cybersecurity teams are understaffed.

 ISACA is “tool agnostic,” meaning the organization doesn’t “propagate or push any particular” application, or software, for its members to use, Nigro says. “But we really do try to show what are the best practices,” she says. One of the most common ways to share information is through online communities.

However, it’s not enough for just IT leaders and professionals to stay informed about cybersecurity—all employees should have basic knowledge of security measures, Nigro says. 

“If [employees] are not educated, and they don’t understand what a phishing email looks like; if they don’t understand that clicking on a link could misdirect you to someplace else and expose [your system], that is where the troubles really kind of align and really come to fruition,” she says. 

See you tomorrow.

Sheryl Estrada


We’re ranking the most influential young people in business. The deadline for 40 Under 40 submissions is July 19. Click here for more information.

Big deal

A new study by Haystack Analytics found that 83% of software developers surveyed have suffered from workplace burnout. Almost half (47%) attributed the stress to increased workload.

Courtesy of Haystack

Going deeper

A new report in Harvard Business Review, Boards Are Undergoing Their Own Digital Transformation, explores how boards in various countries and regions around the world have approached the challenges of the past year. "While 80% of global directors said they believed digital transformation should be led at the board level rather than relegated to the IT department, boards in different regions differed dramatically in terms of follow-through," according to the report. 


Jonathan D. Alspaugh was named CFO at Aeglea BioTherapeutics, Inc., a clinical-stage biotechnology company. Alspaugh joins Aeglea from Evercore where he most recently served as a managing director in the corporate advisory business.

Andy Schmidt was named CFO at Sientra, Inc., a medical aesthetics company, effectively immediately. Most recently, Schmidt served as the CFO of Guardion Health Sciences.


“While some see higher prices as a way to constrain demand, rising costs in the energy sector will only sow greater economic inequality and a world of ‘haves and have-nots.’”

—BlackRock Inc. Chief Executive Officer Larry Fink, in prepared remarks to the Venice International Conference on Climate, as reported by Fortune

Our mission to make business better is fueled by readers like you. To enjoy unlimited access to our journalism, subscribe today.

Read More

CEO DailyCFO DailyBroadsheetData SheetTerm Sheet