CFOs should govern data security, not IT. Why? Because they hold the purse’s strings and are most qualified to plan for risk, in an era where the next cyber-attack is not a question of “If” but “when” and “how often”.
So what is the CFO’s role today, and why should it include data security?
The CFO role of today is one of a few that is used to complying with regulations. From the complex accounting standards that took many years to achieve excellence within to equally difficult industry accreditations that are required, so it would make sense that data protection and data security be attached to this role? In my opinion, yes!
With complex data privacy and security regulations (GDPR) affecting every element of business data a new role emerged a few years ago – The DPO (The Data Protection Officer). Since May 2018, it’s a requirement for any given company to have one or at least have a nominee for that role.
Who would be a good candidate?
Of course, I’m going to suggest the CFO.
What must a CFO become for a “fit for the future” data secure company?
The DPO role is a natural fit for the CFO as the protection of data requires strict principles that apply across the whole company’s data estate (every system that is used to collect data). CRM, Financial, HR, ERP and other data sets now require regulating and safe guarding, with someone who has ultimate responsibility. This cannot be delegated to silo subset divisional heads. Huge fines for non-compliance to GDPR rulings are now in force (Up to €20 million, or 4% annual global turnover – whichever is higher). If you wish to see a comprehensive breakdown of this regulation click here.
At the recent Oracle OpenWorld event in London the above statements were also backed up by many conversations regarding the GDPR regulation now in force post May 2018 and the effect on financial data. Not only has the CFO role changed to one of an enabler of budgets for additional data security products and services but also to understand why they are needed.
ERP and HR systems have traditionally been under the remit of the CFO so many discussions were had around the emergence of a dual role for the CFO/Finance head for organisations. Couple this statement with the unfortunate reality of increasing threats of cybercrime, shouldn’t the role of DPO belong here?
Whichever way you approach data security and potential breaches you must have overall responsibility and accountability and the CFO is a natural fit. Data Security is not just an IT function and it is not just a CISO problem to protect and police. Good governance starts from the top down from any organisation and not just a budget line figure and the CFO has a very important part to play for the current and future strategy for data security.