Cyber risk is a 21st century business reality and something that can’t be ignored. The sheer pervasiveness of these risks, matched with the evolution into far more complex attacks, means the C-Suite has to get serious about managing cybersecurity. I sat down with Steffan Tomlinson this month, CFO of Palo Alto Networks, who explains why CFOs should be at the helm of these efforts, drawing on their risk management know-how and developing additional skills through continuing education.
This interview has been edited and condensed.
Jeff Thomson: Cyber risks and business impacts of actual data breaches are greater now than ever before. Do you see CFOs and their teams building the competency necessary to play a leading role in addressing cyber risk? What should this role be?
Steffan Tomlinson: As the threat of cyberattacks and cyber risk continues to increase, I foresee CFOs across the world learning, adapting and building competency to successfully address this critical challenge. There are many creative approaches I have witnessed CFOs employ to build their competency in cybersecurity, but the one that most commonly stands out is when the CFO views cybersecurity through the lens of Enterprise Risk Management [ERM].
Cybersecurity is typically in the top five risks of a corporation and a key aspect of a CFO’s role is to help manage that risk . Viewing cyber risk through the lens of ERM enables the CFO to use a framework, process and strategy to help position the company to successfully manage the plan for cybersecurity. This approach provides a familiar environment for the CFO to get educated and bring pragmatism and a business context to the dialogue on cybersecurity.
Thomson: There is a school of thought that data breaches are going to happen anyway, so just be prepared and proactive for the aftermath including communicating with customers and shareholders. What is your view on the balance between cyber risk prevention, detection and disaster recovery/business continuity?
Tomlinson: It is important to think in a systematic, holistic way when crafting a cybersecurity strategy and there is a wide array of considerations for which you have to plan. However, the philosophical approach about where to start is extremely important as it provides the foundation on which to build the overall cyber strategy.
I don’t ascribe to the school of thought that data breaches are a fait accompli. In fact, the most successful, forward-thinking companies that I have seen to date start with a breach prevention-oriented, highly-automated and integrated approach as the foundation on which to build their cybersecurity strategy. Upon this foundation, other important capabilities like forensics, remediation, incident response, etc., fit into the overall plan, but a prevention-first mindset is the foundational element.