This is a Thought Leadership Article by PrimeGlobal firm Carr, Riggs & Ingram which looks at how CFOs can improve Cybersecurity.

The CFO is an important ally in the fight to keep information and IT assets safe and secure.

Most CFOs today understand that cybersecurity procedures are a financial concern just as much as an IT issue. Yet the person responsible for managing and mitigating enterprise risk has historically been absent from many discussions about IT security. It’s time for CFOs to take a more active role in understanding how information is secured and what can compromise that security. A good place to start is to quantify the costs.

Successful cyberattacks are costly not only in time and resources spent on damage control, but also in terms of brand value and investor confidence. And on the prevention side, big security decisions are often big budget decisions too.

So how much are companies spending on developing cybersecurity procedures? And how do those numbers compare to the cost of an attack?

Steve Durbin
“Given the risks that cybersecurity threats pose in a technology-driven, global economy, today’s CFO must ensure that adequate steps are taken to protect the company’s reputation, stock price, and mission-critical assets." Steve Durbin, Information security expert and former Gartner executive

An Ounce of Prevention

The numbers vary depending on who you ask. A recent Ponemon Institute survey of small- to medium-sized businesses found that companies are spending, on average, about 12% of their IT budget on cybersecurity procedures, whereas a 2016 study by Gartner reported that organizations, in general, spend about 5.6% of their IT dollars on security and risk management.

Those numbers don’t tell the whole story, of course. Companies that are already relatively well protected may not need to spend as much on cybersecurity. Conversely, companies that funnel more money into security are not necessarily spending it on the right things. And it’s difficult to define, even conceptually, the distinction between spending on security and spending on general IT.

Even so, the budget statistics provide a point of comparison for the second question: What is the cost of an attack?

How Much Is Data Security Worth?

In the Ponemon survey, 58% of respondents said their company had suffered a data breach in the last 12 months. (Remember, that’s small- to medium-sized businesses only.) The cost associated with those breaches is steep. Companies spent an average of $1.43 million due to damage or theft of IT assets, and the disruption of day-to-day operations caused by compromised data costs an average of $1.56 million per company over the same period.

What about investor confidence? One study shows that the value of a company’s stock drops an average of 5% when a data breach is disclosed to the public. And a rebound is not guaranteed, especially in companies with a poor security posture.

Again, the numbers vary depending on who you ask and when, but in the end, the only numbers that really matter are yours. It’s clear that any business, no matter the size, has real financial incentives to look carefully at its IT security budget. Too many organizations still believe they are too small to be targeted by a cyberattack. A false sense of security can be worse than no security at all.

The line between finance and IT is getting blurrier by the day. CFOs can no longer afford to think of data breaches, ransomware, and other such attacks as somebody else’s problem. Proactive CFOs who work closely with other departments will be better positioned to face the challenges of tomorrow — and today.

Understanding where the cybersecurity risks are in your organization is one of the best ways to ensure dollars are allocated where they can make the most difference. Completing an IT and cybersecurity risk assessment can show you just that. For more guidance on how best to allocate your dollars to keep your company safe, talk to the information security professionals at CRI.

Content by:

Carr, Riggs & Ingram, LLC

Carr, Riggs & Ingram (CRI) is one of the top 20 largest accounting firms in the United States and the fastest growing in the top 100. CRI delivers innovative, solutions-oriented support specifically tailored to help its clients maximize their profitability and success. CRI’s traditional and specialized services are derived from the firm’s national strength and grown from its continued commitment to client service and hospitality. Our services include accounting and auditing (A&A), business consulting and support, transaction advisory services, forensic accounting, IT auditing, retirement plan auditing, SEC compliance, litigation support, business valuation, local, state, federal and international, tax planning and consulting, and trusts and estates. Additionally, CRI’s portfolio of companies delivers service organization control (SOC) reports, transaction advisory services, and wealth management.

Learn more