It was an honour to speak at the 4th Annual CFO Africa Conference alongside CFO of ESKOM South Africa, Finance Director of Unilever Kenya, CEO of Botswana Stock Exchange, Finance Director of Cadbury Nigeria amongst others. 
I spoke on “Cyber and the CFO” and in this thread I will do a summary of my major talking points.
Many people wonder if there is any correlation between the role of a CFO and a company’s cyber security processes and procedures.
Many people wonder if there is any correlation between the role of a CFO and a company’s cyber security processes and procedures.
Before digital disruption, CFOs had a clear focus on accounting and bookkeeping, treasury management, budget planning and control, tax and some aspects of strategy planning and execution. But today the boundary and technical goal post of the CFO has changed due to
advance in technology and also changes in the way of work or the way of doing business.
The following are the major talking points:
Why Cyber Security is important today
Why CFO must take a leading role in Cyber Security
How to identify cyber exposure gaps
How to mitigate cyber risk
Common types of cyber attacks
Why Cyber Security is important today
Why CFO must take a leading role in Cyber Security
How to identify cyber exposure gaps
How to mitigate cyber risk
Common types of cyber attacks
Cyber security policies and procedures
Why is cyber security important today?
A cyberattack is inevitable. It is no longer a question of “IF” but “When” and “How”
Weakness in cyber security is a significant business risk across all organisations
A cyberattack is inevitable. It is no longer a question of “IF” but “When” and “How”
Weakness in cyber security is a significant business risk across all organisations
A new organisation falls victim to ransomware attack every 14 seconds
It affects all sizes of companies – from SMEs to multinationals
Work from home has increased the possibility of cyber attack
It affects all sizes of companies – from SMEs to multinationals
Work from home has increased the possibility of cyber attack
Why should CFOs take a leading role in Cyber Security?
FINANCIAL DATA is the primary target of cyber criminals and impact of other losses will either be financial or have impact on share value
To QUANTIFY and manage risk of cyber attack
FINANCIAL DATA is the primary target of cyber criminals and impact of other losses will either be financial or have impact on share value
To QUANTIFY and manage risk of cyber attack
CFO will take a broader view of cyber security as a COMMERCIAL AND BUSINESS RISK rather than a technical issue
To fully UNDERSTAND technical assessment done by IT specialists
To BALANCE the risk against significant cost of cyber security measures
To fully UNDERSTAND technical assessment done by IT specialists
To BALANCE the risk against significant cost of cyber security measures
To COMMUNICATE accurate assessment of potential damage to relevant stakeholders like supply chain actors, shareholders, investors etc.
How to identify cyber exposure gaps
•identify the assets that require protection
•Identify relevant threats and weaknesses
•assess the level of threat posed by those accessing the organization’s systems remotely
•identify the assets that require protection
•Identify relevant threats and weaknesses
•assess the level of threat posed by those accessing the organization’s systems remotely
•determine business impacts if the threats are realized
•develop a security-risk assessment
•assess the level of risk acceptance that is appropriate to the organisation; and
•identify suitable control mechanisms to implement
•develop a security-risk assessment
•assess the level of risk acceptance that is appropriate to the organisation; and
•identify suitable control mechanisms to implement
How to mitigate cyber risk
•User education and training
•Patching and inventory
•Network and application security
•Cloud security
•Devices and data
•Remote access - Consider multi-stage authorization instead of passwords
•User education and training
•Patching and inventory
•Network and application security
•Cloud security
•Devices and data
•Remote access - Consider multi-stage authorization instead of passwords
•Manage access
•Report and test
•Penetration testing (Ethical hacking)
•Cyber Insurance
•Report and test
•Penetration testing (Ethical hacking)
•Cyber Insurance
Common types of cyber attacks
•Data Theft
•Data Manipulation
•Malware (Malicious Software)
•Ransomware (Colonial Pipeline, Kaseya)
•Business Email Compromise (BECS) – {Hushpuppi🙂}
•Web application attack
•Data Theft
•Data Manipulation
•Malware (Malicious Software)
•Ransomware (Colonial Pipeline, Kaseya)
•Business Email Compromise (BECS) – {Hushpuppi🙂}
•Web application attack
Cyber security policies and procedures
•Acceptable use: what company equipment can and cannot be used for
•Access control: who gets access to what, and when and where they can access it.
•Acceptable use: what company equipment can and cannot be used for
•Access control: who gets access to what, and when and where they can access it.
•Change management: procedures to ensure that the impact of IT software or hardware changes on security is monitored and communicated.
•Information security: the rules governing the sensitivity of data and the accountability of employees.
•Information security: the rules governing the sensitivity of data and the accountability of employees.
•Disaster recovery: how business continuity will be maintained in the event of a successful attack, or in the wake of actions being taken to respond to an attack.
•Passwords: rules covering the format and updating of passwords and their reuse.
•Passwords: rules covering the format and updating of passwords and their reuse.
•Incident response: how the company will respond to an incident and recover from it and who will take responsibility for remedial actions.
•Remote Access policy: how employees will connect to the organization's systems remotely.
•Remote Access policy: how employees will connect to the organization's systems remotely.
•Bring Your Own Device (BYOD): how employees should use, connect, and encrypt personal devices they use for company business.
•Email/communication: acceptable use of email, social media, blogs and telephone.
•Email/communication: acceptable use of email, social media, blogs and telephone.
Conclusion
Identification, mitigation of cyber risk is very important. Also important however is the preparedness and skillset required to manage a successful attack
With proper planning and precise execution, cybersecurity can become a competitive advantage
Identification, mitigation of cyber risk is very important. Also important however is the preparedness and skillset required to manage a successful attack
With proper planning and precise execution, cybersecurity can become a competitive advantage
• • •
Missing some Tweet in this thread? You can try to
force a refresh
