Cybersecurity: 3 areas of pressing concern for CFOs

“We’re getting a lot of questions around the current conflict that’s happening between Russia and Ukraine,” Poppy Gustafsson, CEO of Darktrace PLC, a U.K.-based cybersecurity firm, told me. And many of those cybersecurity questions are coming from a range of C-suite leaders including CEO, CIOs, CFOs, and CTOs, Gustafsson says.

As Ukraine endures cyberattacks amid the country’s invasion by Russia, the U.S. Cybersecurity and Infrastructure Security Agency recently urged CEOs to prepare for potential cyberattacks. CFOs are primarily the leaders that companies rely on to mitigate risk, and cyberattacks are costly.

IBM reports that data breaches cost companies $4.24 million per incident on average, according to the tech giant’s annual report released in July. It’s the highest cost in the 17-year history of the report, IBM stated. The findings are based on an analysis of data breaches experienced by over 500 organizations worldwide. 

Before becoming CEO, Gustafsson began as CFO of Darktrace, which utilizes artificial intelligence to detect and autonomously respond to cyberattacks in real-time. She named three areas of concern for finance chiefs to consider when it comes to cybersecurity:

Lack of skilled employees 

“Cybersecurity is an industry where there’s just not enough people with the skills needed to stay up to speed with the scale of the challenge,” she says. “You can’t just recruit your way out of this problem. You can’t just double the size of your security team. Because even if you had the budget, the people just don’t exist. They’re working somewhere else.”

That’s backed up by an annual study released in October by (ISC)², a nonprofit global association of certified cybersecurity professionals. “Despite another influx of 700,000 professionals into the cybersecurity workforce, the 2021 study shows that global demand for cybersecurity professionals continues to outpace supply,” the report stated.

“So, how do you make the people that you have within your teams more effective?” Gustafsson says. Instead of having them be responsible for the daily management of preventing security breaches, use technology to free them up to become more strategic, she says. Let technology take care of the day-to-day spotting and stopping of breaches and also “perform the basics of good practices that you’d expect within the cybersecurity industry,” she says.

IBM’s study found that in data breaches, automation and security artificial intelligence, when fully deployed, provided the biggest cost mitigation, up to $3.81 million less than organizations without it.

Ensuring cybersecurity spending is strategic

When it comes to cybersecurity standards, most companies focus their spend on firewalls, antivirus programs, and endpoint protection, Gustafsson says. But there’s more complexity. 

“I think there’s sort of an increasing shift to thinking about the business outcome,” she explains. “People are trying to get a bit more strategic about the areas of the business that they protect, over and above all other aspects, and spending to meet that purpose.” 

For example, focusing the spend on your cloud infrastructure if it’s vital to your business. Google plans to do that with its purchase of cybersecurity company Mandiant Inc. for $5.4 billion. The move will add internet security products that will boost the company’s cloud-computing business.

Risks posed by third-party transactions and supply chain

There are cybersecurity risks when it comes to the complexities of business partnerships and supplier networks and the technologies they use, Gustafsson says. She poses a question for CFOs: “Are you comfortable that they are secure?”

Currently, cybersecurity works best when it’s a company-wide effort, Gustafsson says. “You do need to have a little bit of a culture within your organization that is paranoid about making sure [employees] don’t click [on a bad link],” she says. Employees need to know who their “security champions” are, and feel empowered to communicate a potential issue, she explains. “If something triggers their Spidey senses, they should know to alert someone and do something about it,” Gustafsson says. 

But she predicts that eventually technology will “take care of systems and controls and processes to make sure the human never ever needs to think about cybersecurity.”

---

See you tomorrow.

Sheryl Estrada
sheryl.estrada@fortune.com

Big deal

Microsoft Corp. released its second annual Work Trend Index report on March 16. Although, "culture will stand or fall with managers," one of the findings is they feel caught in the middle of meeting the needs of both leadership and employees, according to the report. About 50% of leaders surveyed said their companies are planning a return to full-time in-person work in the year ahead. However, flexible work is important to employees. About 52% of respondents said they are likely to consider shifting to hybrid or remote work in the year ahead. Fifty-four percent of managers said leadership at their companies is out of touch with employee expectations, and 74% said they don't have the influence or resources to drive change for their teams. The findings are based on a survey of 31,102 full-time employed or self-employed workers across 31 market, conducted by Edelman Data x Intelligence. 

Going deeper

A widely shared list of U.S. companies leaving and staying in Russia is holding business leaders accountable, is a new Fortune opinion piece by Yale Chief Executive Leadership Institute's Jeffrey Sonnenfeld, senior associate dean and professor, and Steven Tian, director of research. "We have been told that our list of companies leaving and staying in Russia did provide courageous CEOs with the confidence to execute bold pronouncements," Sonnenfeld and Tian write. 

Leaderboard

Dennis Secor was named interim CFO at Guess, Inc. (NYSE: GES), effective April 1. Secor succeeds Katie Anderson, who is stepping down to pursue another opportunity as CFO at a privately-held company. Guess plans to use an executive search firm to initiate a search for a permanent CFO. Secor previously served as Guess CFO from 2006 to 2012. He has also held numerous CFO positions at companies, including Fossil Group, Electronic Arts Canada, and Torrid. Since 2021, Secor has operated his own management consulting practice in New Zealand.

Shawn McArdle was named CFO at Choice Financial Group. Most recently, he was a regional CFO at Arthur J. Gallagher & Co. McArdle has more than 15 years of experience as a senior finance executive. 

Overheard

“That's a very, very tight labor market—to an unhealthy level.” 

—U.S. Federal Reserve Chair Jerome Powell said Tuesday that the U.S. currently has about 1.7 jobs available for every unemployed person. It's a situation in which consumer demand is higher than the labor and production supply, as reported by Fortune.