So says a new, free guide developed for CFOs wanting to have more of a hand in cyber-risk decisions.
The publication, "The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask," was developed by a task force of some 30 organizations and released Monday by The Internet Security Alliance (ISA) and standards-setting body American National Standards Institute (ANSI).
It features a set of questions financial executives should ask of various departments, such as compliance, risk assessment and insurance, legal and corporate communications.
"We think that the CFO has a critical role in this," Larry Clinton, president of the ISA, told SCMagazineUS.com on Monday. "Organizations make decisions based on their financial impact. Corporations are in the business to make money and one of the major problems that we perceive with respect to information security is that there is not enough investment being made."
Carol Baroudi, research director of security at the Aberdeen Group, said the guide will help fill a void in education around what is the real risk when it comes to cyberthreats. Targeting the CFO is critical, she said, because he or she is the one making the final call on spending.
"Security has always been a hard road because it's hard to point to the bottom line," Baroudi said. "Sometimes it's hard to understand. It's very much about not losing something. The CFO needs to understand exactly what is at risk."
John Pescatore, Gartner vice president and senior fellow, said the document offers useful guidance, but contains one significant shortfall that could turn off CFOs: It relies on a traditional way of defining risk.
Instead, cyber-risk should be delineated not in typical financial risk terms but how a cyberevent might impact net earnings.
Clinton said he hopes the guide will make CFOs -- and other department heads -- more appreciative of the financial vulnerability corporations suffer because of the cybercrime potential.
"We think that if a CFO better appreciates the value of information security and better realizes the risk financially to his organization...they are apt to fund [cybersecurity] better and more appropriately," Clinton said.