The Cost of a Data Breach: What CFOs Should Know about Cybersecurity Risks

Historically, if you were to ask most chief financial officers (CFOs) about cybersecurity, they would respond with a quick “sorry, not my department.” However, the numbers don’t lie. A joint Centrify and Ponemon report found that on the day a breach is disclosed, the share value index drops an average of 5%.

  • Companies with a high security posture saw a decline of no more than 3%, and 120 days following the breach, the company was found to successfully rebound – showing a three percent gain in the stock price prior to the attack.
  • Companies with a poor security posture, were found to drop as high as 7% and 120 days following a breach, the company did not fully recover the share price it enjoyed immediately prior to the breach.

Given the massive financial impact, with the average cost of a data breach at $3.62 million in 2017, and their increasing frequency – the lack of taking responsibility or leveraging plausible deniability should no longer be acceptable. To protect their companies, CFOs must start understanding their cybersecurity risks and be diligently involved in proactive strategic investments for their organizations and not relying on reactive measures post-breach.

Redefining Priorities

The problem originates in the structure of the C-suite itself. In most organizations there’s a clear pecking order: CFO, chief information officer, chief information security officer, chief security officer, etc. with each role communicating up only the most need-to-know

information per that senior executive’s priorities. As is, many information technology professionals believe executives don’t take cyber security seriously enough – with 45% stating the C-suite fails to understand the impact a data breach can have on brand reputation. Equally worrisome, 71% of IT team members consider brand protection to be outside their own job purview.

When the CFO does address cybersecurity issues, they typically do it with general counsel in the room, leading the conversation to be centered around business risk management rather than a technology-oriented discussion led by IT experts. Additionally, many CFOs tend to see information security as a cost sink rather than a business enabler – even though evidence demonstrates that investing in identity management and security can save 40% in technology costs while improving employee productivity and lowering overall risk for a breach.

Instead, CFOs need to join the cybersecurity pack, becoming an active member alongside CISOs in understanding the company’s current exposure risk and what strategic investments should be considered to close any gaps. The relationship built with an aura of trust between the CFO and CISO can be a pivotal turning point for security teams struggling to solidify their value and ROI for their companies – especially prior to a data breach.  Some of the most effective partnerships involve routine, transparent and interactive cyber exposure discussions.

As important as it is for CFOs to adapt their mindset in terms of cybersecurity risk and evaluation, just as equally CISOs and security teams must learn to speak in business terms and present their issues in a way easily understood by those focused on financial impact and bottom-lines without sounding alarmist.

Focus on Security Portfolio

On average security budgets are 5% of IT spend (this varies by industry), with IT budges typically 3-7% of company revenue. With cybersecurity spend projected to exceed $1 trillion in the next five years, is additional security investment worth it? Absolutely. Over the past two years, firms who invested more in IT security experienced 6.8 fewer breaches and saved more than $5 million.

As the development of cloud and connected devices continue, it’s imperative CFOs understand where new risks lie within the current structure of their security program and how new investments help close any existing gaps. This requires holding security leaders accountable to providing the company with a diversified IT security strategy that captures immediate needs as well as projects for long-term goals. With this approach, business leaders and security teams alike can ensure their security technology portfolios are built to last and adapt to digital changes.

By reanalyzing priorities as well as how the company invests in its security program, CFOs and security departments can begin to sleep easy at night knowing they’re taking the best steps possible to prevent data breaches and lower associated risks for their organizations.


To learn how you can enable your business with cybersecurity, check out the below webinar:

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals