Add to this the barrage of reports on common software vulnerabilities, sensitive data leaks and malicious software (“malware” or “ransomware”), along with the importance IT systems have in virtually all organisations today, and you may begin to despair.Despite this bleak picture, the CFO is in fact ideally placed to monitor and manage IT risk. The discipline is little different from managing risk in other areas of the business, which CFOs should be quite familiar with. KPMG’s recent article on cyber security highlighted a number of areas boards need to consider, including that board directors need to understand and approach cyber security as a business risk issue, not just a problem for IT. Discussions of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer, as well as specific plans associated with each approach. Business continuity planning CFOs are often viewed by IT managers as the holder of the purse strings, yet if the functions work more closely together there can be great benefits for both parties. The CFO can guide the IT manager in where the greatest risks lie within the business and where to focus their attention, and can then work as the advocate within the business for necessary expenditure. In looking at alternative solutions, the IT manager can often make significant operational savings for the business. A good place to start such a fruitful relationship is in reviewing the business continuity plans of the business. Reviewing and questioning these plans, how they work for each IT system and the business impacts in each case, will invariably lead to productive debate. This should enable risks to be clearly identified and quantified. The areas outlined by the KPMG report provide a good structure around which to address these risks. Mitigating risk Many CFOs will be surprised at the level of risk mitigation which is common in even the most rudimentary IT implementation. “Redundancy” is a familiar word to all IT managers, with failure of multiple elements of any system simultaneously often allowed for. Within these multiple-redundancy implementations, areas of risk can be difficult to identify, and are often not immediately apparent. Replication across two sites, for example, ensures the loss of one site shouldn’t excessively disrupt your IT systems. But what if a ransomware attack is replicated across both sites? Even in a replicated environment, a backup is still required to mitigate some risks. Further, it’s important to ensure all processes within the system are being followed as documented. Manual tasks such as changing backup tapes and moving them off site will often look good on paper but may not be followed in practice. Automated systems with daily reporting will often prove more efficient and more easily verified. In all cases, regularly testing and challenging the existing business continuity plans is essential. Avoiding, transferring, accepting risk… how can your CFO best mitigate IT risk in the business? Find out by continuing to read on page two.
Share this story