more-arw search

Tying Together Risk, IT, and Finance for the Sake of Data Security

Bill Chorba, CFO for NineSigma, has something of a confession to make: he spends a lot of time contemplating how to sneak data out of his company. “I think about it all the time, though I don’t tell anyone what I come up with,” he says.

It’s not that Chorba is planning a heist; it’s that he has to make sure no one else can pull one off. NineSigma is essentially an outsourced innovation factory for market leaders like Dupont, Hallmark, and Kraft Foods. Those companies need their data, and the new ideas they are buying, kept under tight wraps. But as for most businesses dealing with the tough challenge of securing their data as both information and employees increasingly become more mobile, this protection is a constant work in progress.

So while Chorba has his eye on external threats and periodically hires a firm to try to hack in to find any NineSigma vulnerabilities that may exist, “we have as much concern about information leaving the building through our own people as we do about people outside the building hacking in,” he says.

To their detriment, few finance executives are paying as much attention to data security issues as Chorba, say experts. “Security is invisible and most C-level folks spend their time on visible things, so they don’t see it among their top 25 priorities until they have a data breach,” says Larry Ponemon, founder of the Ponemon Institute, a data security and privacy research organization.

That kind of thinking can hold true even when CFOs have the IT and risk functions reporting to them. Thanks to deeply ingrained ways of thinking about controls and budgeting, senior finance executives, in general aren’t always seeing the full picture when it comes to data security. For one, finance professionals tend to think solely about “access governance,” or the internal guidelines over who can see what data, says Ponemon. While that focus will leave the data well-controlled from the inside, it continues to be vulnerable to outside threats.

Then there is finance’s fixation with ROI, which has little relevance in the world of disaster prevention. “I’ve seen a lot of organizations that aren’t doing the basic blocking and tackling [around security] because the finance department said if you can’t justify an ROI, we’re not doing it,” says Ponemon. As a result, “they stay with the status quo, which is a disaster waiting to happen.”

What CFOs Need to Change
Finance executives who make the effort to proactively collaborate with IT and their risk colleagues can prevent many disasters from happening. The proliferation of technologies that bring the average employee autonomy from IT are making this need between the functions evermore crucial. “With more communication across these areas, companies can get a better understanding of the potential benefits of cloud-based services, as well as potential risks,” says IDC data security analyst Phil Hochmuth.

For instance, one burning issue that is increasingly uniting the three groups: how to handle employees who use cloud-based file-sharing applications such as Dropbox or Google Drive, tools employees can download themselves onto their work-provided systems.

At one company, for example, the IT department tried to establish itself as the gatekeeper between all company data and the inexpensive cloud-based file-sharing applications that employees were demanding to help productivity. When finance employees started finding unexpected charges for Amazon server storage on corporate credit cards, however, it became clear that the rules weren’t working. “It was a wake-up call for everyone,” says Hochmuth. As a result, the CFO brokered a conversation that led IT to develop a fast-track system for cloud-based requests, to help stem rule-breaking and increase the chances that the department is aware of most, if not all, of the software employees are using.

Maneuvering Mobility
Employees’ increasing use of mobile devices for work purposes is another trend that could benefit from multidisciplinary attention. Similar to the file-sharing scenario, “bring your own device” policies are a boon from the financial angle, since they can save a company thousands of dollars a year in device purchases and maintenance. At the same time, though, “employees are taking corporate data and putting it in an untrusted environment that IT doesn’t necessarily have complete control over,” says Hochmuth.

There are various approaches to getting a better handle on these issues. One is to have the chief information security officer – or whomever is in an analogous role – report directly to the CFO rather than the CIO, says Ponemon. Another is to create a cross-functional risk committee to look at all areas of risk in the firm, and make information risk one of the topics to cover. A third, particularly at smaller companies, is to create something of a checklist to make sure all bases are covered.

At NineSigma, for example, Chorba works with outsourced risk managers, as well as outsourced IT vendors, to help him get a better handle on each of those functions. With what he learns, he conducts periodic reviews of the company’s data security status with a committee that includes the CEO, head of sales, and two other executives. For day-to-day security decisions, Chorba references a matrix to determine access levels, based on how damaging a data breach would be for either the organization or a client if some data was disseminated.

In many cases, technology solutions exist to limit problems, such as methods of securing data at the server- or database-level so employees can’t misuse it. One example: NineSigma makes its financial statements, which are not public, available to all employees but in a read-only format so they can’t share it.

Indeed, a growing number of tools to ensure smartphone and tablet security are emerging, says Hochmuth, including apps that can “containerize” corporate data on a device so that it can’t be transferred, and more basic ones like creating passwords to lock devices and using apps that allow for remote locking or deletion if a device is lost or stolen.

Companies also have plenty of room for setting up new policies in these areas, such as asking employees to agree to certain protocols if they want to use their device for work. Neither policies not technology alone can solve these increasingly complex problems, however. “When you’re dealing with human beings, there is always some level of risk,” says Chorba. “We make it clear to employees that a lot of this is about trust – and that we won’t tolerate anything less than 100% honesty.” 

Alix Stuart is a freelance business writer and editor.

Products and Companies: