Interesting article here about how CFOs are getting tasked to combat cyberfraud due to the financial impact.
This article from PC World asks CFOs to consider:
– Has the company analyzed our cyberliabilities?
– What’s the potential for us to be named in class-action lawsuits after a breach?
– Are there valid reasons we’re collecting personal information?
– What is our biggest cybervulnerability?
– Do we have a documented and proactive crisis communications plan?
Internet CFOs take note…your ass will soon be on the line if the shit hits the fan.
October 30th, 2008 at 10:15 am
It’s irritating to see these directives, however well intentioned. These are the equivalent of compliance “big foot” sitings.
Compliance managers everywhere are going to receive a cut and paste of that bullet list asking “do we have this? we need this right away”…
The moment one has to explain an external vulnerability scan to a CFO, we’re off the beaten path, upside down in the ditch and on fire…
CFOs are well-intentioned but clumsy IT “cooks”. It’s not enough that the CFO role alone own something like this. The CEO should drive the CTO to the CFOs & Chief Counsel’s satisifaction. If a CEO cannot participate in the technical aspects of his organization enough to accept the risk around her operations, but expects a CFO to do so… well… that sounds like a problem waiting to happen.
I’d love to see the SEC incorporate mandatory guidance that requires IT organizations to consider these questions as control questions that have to be present in a SOX control set for a traded company.