- CFOs need to be responsible for cybersecurity risk management within their organisations.
- A cybersecurity strategy needs buy-in from across the business, from the CEO down.
- Educating staff about cybersecurity is vital, as they may be the unwitting cause of cyber breaches.
By Beverley Head
CFOs must take a leading role in their organisations’ cybersecurity strategies says Lorna Raine CA, chief financial officer at George Weston Foods. And those CFOs who don’t believe cybersecurity is their problem risk a rude awakening, she warns.
“Wait until you have an incident and your whole system goes down – it’s going to be your problem. If the system goes down, we are the ones dealing with the consequences, so we have a key responsibility to make sure the controls are in place as far as possible.
“I see it as a governance role, just a non-negotiable,” she says. “No way can you say, ‘this is the problem of the CIO’. I’d be fired if I said that.”
One of Australia and New Zealand’s largest food manufacturers, George Weston Foods employs more than 6000 people across 58 sites and is a wholly owned subsidiary of Associated British Foods (ABF). The organisational structure means the IT team reports to Raine, which she says establishes a natural mandate for her cybersecurity responsibility.
“If things go wrong, people tend to look to the CFO. As custodians and managers of risk in the enterprise we can’t point the finger at anyone else.
“But this starts at the top with the CEO setting the tone and making sure it is taken seriously by the rest of the business,” says Raine.
A whole-of-organisation approach to cyber risk
Lorna Raine CA.
Taking things seriously includes expecting business units to develop and properly test contingency plans and business continuity programs.
Staff also need to be tested.
“We are finding that a lot of the weakness is in the staff. The number that click on stuff they shouldn’t and give away their passwords is scary,” says Raine.
“We are finding that a lot of the weakness is in the staff. The number that click on stuff they shouldn’t and give away their passwords is scary.”
George Weston runs workshops and training sessions for staff to make them more cyber aware, and follows that up with phishing testing to see if staff continue to click on suspicious links or attachments.
“We can actually track the degree to which people multiple offend. If Joe Bloggs in finance clicks three times on an email and gives his password,” Raine warns there will be disciplinary consequences.
Is the cybersecurity spend worth it?
Raine says putting in place the training, testing, security monitoring and specialist software does impact costs, but it’s a cost that has to be borne. “We are having to put on more specialised resources, and invest at a faster pace,” she says.
“If you are under pressure, you may have to forgo spending on innovation in order to spend on security. There is always a challenge around budgets; we have made some cost savings in the IT budget to offset security – but this is the environment we operate in.
“If something goes wrong, it’s not an option for me to say ‘we had no money, we couldn’t do it’. It is expected that we run our businesses appropriately and work the costs out.”
What today’s CFOs need to know about cyber risk
Cyber risks are financial risks, so today’s CFOs should see working with IT on a cybersecurity strategy as part of the job.Read more