Finance’s Mandate: Get More Engaged, Earlier, In Cybersecurity

Nilly Essaides

The prosperity and growth of the digital economy rely on cybersecurity. Every day brings another horror story. But a lot of these stories seem to be about the theft of personal information, like social security numbers and passwords. Should finance be concerned?

The answer is yes.

The Hackett Group research, conducted in collaboration with consulting firm SecureState, found cyber risk is the number-one business threat on finance executives’ minds (see below). Clearly, finance is aware of the danger. You’d think they’d do everything they can to contain it. Yet the results of our recent study, Cybersecurity in the Digital Era: New Mandates for Security and Stakeholders, proves there’s a big gap between where finance is and where it should be regarding cyber risk. That’s alarming. (The study identified top performers vs. peer organizations along a range of best practices.)

Source: The Hackett Group Key Issues Study, 2017

The study, led by Rick Pastore, senior director of research IT at The Hackett Group, looked at disconnects and best practices in three areas: knowledge and authority, engagement, and resources.

The study identified three important commonalities among top-performing organizations overall:

  1. They encourage cyber-risk savvy via education, and give more responsibility for risk management decisions to functional heads outside of IT.
  2. The cybersecurity team is involved in business initiatives that involve cyber risk much more consistently and earlier in the process.
  3. They dedicate more resources to security and tie resource levels to business demand.

How does finance stack against these best practices?

The answer is disturbing. Finance is very confident in its level of security. In fact, it’s more confident that the business is reasonably well protected than top-performing companies by 16%. Yet it’s got absolutely no reason to feel so comfortable. Just 43% of finance leaders said they have the knowledge they need to make effective cyber-risk decisions, or about half the percentage of top performers. And just 37% of executives said they always proactively seek the cybersecurity team’s involvement when taking actions that can increase risk. Top performers do so nearly twice as much. This, for a function that controls much of the most sensitive information that flows through the organization, is unconscionable.

One of the most important differentiators of top performers is that they engage the cybersecurity team early, when they start discussions on new project. It doesn’t really help to call the experts in after signing a contract with a cloud provider, when it is too late to vet the security protocols. The chart below shows where finance stands vs. top performers and peers on this issue. Clearly, it’s got a ways to go.

Source: The Hackett Group Key Issues Study, 2017

What can finance do?

  1. Finance needs to shake off the false sense of security and understand the real threat level it’s facing. There’s a disconnect between finance executives’ overall view of cyber risk and their perception of the security team within their own organization.
  2. Finance also needs to take on more responsibility for the quality of its own security. Risk is not owned and influenced by the IT/cybersecurity team; it is owned by the business stakeholder, which is why The Hackett Group believes finance should take more responsibility for its management.
  3. Finance needs to seek knowledge about cyber threats from internal or external sources to educate all employees. A single email can bring down an entire company. And when it comes to initiating unauthorized wire transfers, the results are less catastrophic, but nearly every treasurer has either experienced, or knows someone who has experienced, cyber fraud.
  4. Finance needs to develop a collaborative relationship with the IT/cybersecurity team and get them engaged in any business initiative that may have security implications, as well as any changes or upgrades to systems. It sounds ironic, but one of the areas where cybersecurity gets least involved is in software upgrades.
  5. Finally, finance, like other functions, needs to work with management to ensure that cybersecurity is funded appropriately, in line with business investment and, increasingly, to accommodate the demand created by digital transformation initiatives.

For more insight on cybersecurity, see The Evolving Role Of Security In Today’s Ever-Connected World.


Nilly Essaides

About Nilly Essaides

Nilly Essaides is senior research director, Finance & EPM Advisory Practice at The Hackett Group. Nilly is a thought leader and frequent speaker and meeting facilitator at industry events, the author of multiple in-depth guides on financial planning & analysis topics, as well as monthly articles and numerous blogs. She was formerly director and practice lead of Financial Planning & Analysis at the Association for Financial Professionals, and managing director at the NeuGroup, where she co-led the company’s successful peer group business. Nilly also co-authored a book about knowledge management and how to transfer best practices with the American Productivity and Quality Center (APQC).