more-arw search

Q&A Forum

How are CFO's, in collaberation with IT, mitigating risks associated with "cyber espionage" and the proliferation of mobile devices accessing sensitive corporate data? (Webinar Attendee Question)

This question was asked during the Proformative webinar "The Evolving Role of Finance Leaders: Technology Strategists."  A video of the webinar can be viewed here: https://www.proformative.com/resources/webinar-video-evolving-role-finance-leaders-technology-strategists

Answers

Tom Kelly
Title: Managing Director
Company: T > Edward, Inc.
(Managing Director, T > Edward, Inc.) |

There is no quick answer here. Overall risk management needs to extend beyond the financials for the CFO to include technology. I would look at some of these links that can help shape your understanding of what is being or has been done:

http://www.telos.com/news-and-events/industry-news/industry-news-archive.cfm

http://news.cnet.com/8300-5_3-0.html?keyword=cyber-espionage

http://www.dhses.ny.gov/ocs/awareness-training-events/news/2012-01.cfm

Topic Expert
Keith Perry
Title: Consulting CFO and Business Operations A..
Company: Growth Accelerator
(Consulting CFO and Business Operations Advisor, Growth Accelerator) |

I think in essence things have not changed much in type of problem, but more in scope. This has long been an area for collaboration between IT and Finance.

My first step remains an information audit; ITAR, HIPAA and others require it, and it is a good first step for anyone. What are the paths for information, and how is it protected? Bad is not having good policies; worse, you don't want to find out that you've been storing SSNs in an internal-rogue context because they were stolen.

Strongly communicated policies are next. If you're going to allow BYOD (and not all companies do), what restrictions will you apply? Will IT get to touch/wipe all BYODs? Are there things that shouldn't be taken home or remote-officed (the answer is "yes"). And be prepared to enforce these policies. Make it clear that just as you would fire someone for storing the company's cash in the trunk of their car because it is "convenient", so too does violating data storage policies trump utility arguments.

In parallel, a battle must be fought on what information is captured and retained. When you are deliberately capturing user-identifiable data, such as in a HIPAA context, you will probably have good ways to restrict and protect that information. However, just as the black-hats are finding new ways to steal information, your own internal people are finding new ways to capture it. That data can create risk that exceeds the value of having it. Think of data as if it were a liability itself; if it isn't generating income for you, then all it is doing is creating risk. Processes and defenses reduce risk; elimination eliminates it.

The final step is the good news; just as the black-hats have new tech and avenues to penetrate your defenses, new defenses arise. Document-level access control, centrally managed intranets and through-to-BYOD vpns are all areas where Finance should be collaborating with IT on cost-benefit and process deployment.

1337 views
Topics

Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email content@proformative.com to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.